{
	"id": "a0eaceb5-38d1-4e3b-be5d-bc0c38258a13",
	"created_at": "2026-04-06T00:06:37.564196Z",
	"updated_at": "2026-04-10T13:12:47.950039Z",
	"deleted_at": null,
	"sha1_hash": "7dc2bd763aeebf0ddffeaafa932703edd3292a66",
	"title": "VenomLNK (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42347,
	"plain_text": "VenomLNK (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:12:14 UTC\r\nwin.venom_lnk (Back to overview)\r\nVenomLNK\r\nVenomLNK is the initial phase of the more_eggs malware-as-a-service. It is a poisoned .lnk file that depends on\r\nUser Execution and points to LOLBINs (often cmd.exe) with additional obfuscated scripting options. This\r\ntypically initiates WMI abuse and TerraLoader, which can load additional functionality through various plugins.\r\nReferences\r\n2023-01-24 ⋅ eSentire ⋅ Joe Stewart, Keegan Keplinger\r\nUnmasking Venom Spider\r\nMore_eggs TerraPreter TerraLoader VenomLNK\r\n2022-04-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\nHackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs\r\nMalware, Warns eSentire\r\nMore_eggs TerraLoader VenomLNK\r\n2021-04-05 ⋅ eSentire ⋅ eSentire\r\nHackers Spearphish Professionals on LinkedIn with Fake Job Offers, Infecting them with Malware, Warns\r\neSentire\r\nMore_eggs TerraPreter TerraLoader VenomLNK\r\n2020-07-20 ⋅ QuoIntelligence\r\nGolden Chickens: Evolution Oof the MaaS\r\nMore_eggs TerraLoader TerraStealer VenomLNK\r\n2020-01-27 ⋅ QuoScient ⋅ QuoScient\r\nThe Chicken Keeps Laying New Eggs: Uncovering New GC MaaS Tools Used By Top-tier Threat Actors\r\nTerraRecon TerraStealer TerraTV VenomLNK\r\nThere is no Yara-Signature yet.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk\r\nPage 1 of 2\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk"
	],
	"report_names": [
		"win.venom_lnk"
	],
	"threat_actors": [
		{
			"id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f",
			"created_at": "2023-01-06T13:46:38.854407Z",
			"updated_at": "2026-04-10T02:00:03.122844Z",
			"deleted_at": null,
			"main_name": "GC02",
			"aliases": [
				"Golden Chickens",
				"Golden Chickens02",
				"Golden Chickens 02"
			],
			"source_name": "MISPGALAXY:GC02",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f2fa9952-301f-4376-ac69-743d6f2bec1e",
			"created_at": "2023-01-06T13:46:39.122721Z",
			"updated_at": "2026-04-10T02:00:03.22231Z",
			"deleted_at": null,
			"main_name": "VENOM SPIDER",
			"aliases": [
				"badbullz",
				"badbullzvenom"
			],
			"source_name": "MISPGALAXY:VENOM SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6",
			"created_at": "2023-01-06T13:46:38.851345Z",
			"updated_at": "2026-04-10T02:00:03.121861Z",
			"deleted_at": null,
			"main_name": "GC01",
			"aliases": [
				"Golden Chickens",
				"Golden Chickens01",
				"Golden Chickens 01"
			],
			"source_name": "MISPGALAXY:GC01",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7a257844-df90-4bd4-b0f1-77d00ff82802",
			"created_at": "2022-10-25T16:07:24.376356Z",
			"updated_at": "2026-04-10T02:00:04.964565Z",
			"deleted_at": null,
			"main_name": "Venom Spider",
			"aliases": [
				"Golden Chickens",
				"TA4557",
				"Venom Spider"
			],
			"source_name": "ETDA:Venom Spider",
			"tools": [
				"More_eggs",
				"PureLocker",
				"SONE",
				"SpicyOmelette",
				"StealerOne",
				"Taurus Builder",
				"Taurus Builder Kit",
				"Taurus Loader",
				"Taurus Loader Reconnaissance Module",
				"Taurus Loader Stealer Module",
				"Taurus Loader TeamViewer Module",
				"Terra Loader",
				"TerraCrypt",
				"TerraLogger",
				"TerraPreter",
				"TerraRecon",
				"TerraStealer",
				"TerraTV",
				"TerraWiper",
				"ThreatKit",
				"VenomKit",
				"VenomLNK",
				"lite_more_eggs"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7dc2bd763aeebf0ddffeaafa932703edd3292a66.pdf",
		"text": "https://archive.orkl.eu/7dc2bd763aeebf0ddffeaafa932703edd3292a66.txt",
		"img": "https://archive.orkl.eu/7dc2bd763aeebf0ddffeaafa932703edd3292a66.jpg"
	}
}