{ "id": "22ec939c-d9e5-43f1-8ce5-222a161939a7", "created_at": "2026-04-06T00:14:03.172288Z", "updated_at": "2026-04-10T03:36:08.280875Z", "deleted_at": null, "sha1_hash": "82a50da1e4ef5ced8a98dbbc5b5636b785fea6b5", "title": "Hackers Spearphish Professionals on LinkedIn with Fake Job Offers, Infecting them with Malware, Warns eSentire", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 297249, "plain_text": "Hackers Spearphish Professionals on LinkedIn with Fake Job\r\nOffers, Infecting them with Malware, Warns eSentire\r\nArchived: 2026-04-05 17:12:39 UTC\r\nSummary\r\neSentire, a leading cybersecurity solutions provider, is warning enterprises and individuals that a hacking group is\r\nspearphishing business professionals on LinkedIn with fake job offers in an effort to infect them with a\r\nsophisticated backdoor Trojan. Backdoor trojans give threat actors remote control over the victim’s computer,\r\nallowing them to send, receive, launch and delete files.\r\neSentire’s research team, the Threat Response Unit (TRU), discovered that hackers are spearphishing victims with\r\na malicious zip file using the job position listed on the target’s LinkedIn profile. For example, if the LinkedIn\r\nmember’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled\r\nSenior Account Executive—International Freight position (note the “position” added to the end). Upon opening\r\nthe fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs.\r\nOnce loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access\r\nto the victim’s computer. The threat group behind more_eggs, Golden Chickens, sell the backdoor under a\r\nmalware- as- a- service(MaaS) arrangement to other cybercriminals. Once more_eggs is on the victim’s computer\r\nsystem, the Golden Eggs seedy customers can go in and infect the system with any type of malware: ransomware,\r\ncredential stealers, banking malware, or simply use the backdoor as a foothold into the victim’s network so as to\r\nexfiltrate data.\r\nWhat Risk Does More_Eggs Backdoor Pose to Organizations and Business\r\nProfessionals\r\n“What is particularly worrisome about the more_eggs activity is that it has three elements which make it a\r\nformidable threat to businesses and business professionals,” said Rob McLeod, Sr. Director of the Threat\r\nResponse Unit (TRU) for eSentire. They are:\r\n1. It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated\r\nsecurity solutions so it is quite stealthy.\r\n2.Including the target’s job position from LinkedIn in the weaponized job offer increases the odds that the\r\nrecipient will detonate the malware.\r\n3.Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage\r\nof job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during\r\nthese troubled times.\r\nThese three elements make more_eggs, and the cybercriminals which use this backdoor very lethal.”\r\nhttps://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire\r\nPage 1 of 6\n\nMore_Eggs Attack Steps\r\nIn the spearphishing incident, which the TRU team disrupted, the target was a professional working in the\r\nhealthcare technology industry. Upon downloading and executing the alleged job file, the TRU team saw that the\r\nvictim unwittingly executed VenomLNK, an initial stage of more_eggs. By abusing Windows Management\r\nInstrumentation , VenomLNK enables the malware’s plugin loader, TerraLoader, which then hijacks legitimate\r\nWindows processes, cmstp and regsvr32. (See Image 1). While TerraLoader is being initiated, a decoy word\r\ndocument is presented to the victim. The document is designed to impersonate a legitimate employment\r\napplication, (See Image 2) but it serves no functional purpose in the infection. It is merely used to distract the\r\nvictim from the ongoing background tasks of more_eggs. TerraLoader then installs msxsl in the user’s roaming\r\nprofile and loads the payload, TerraPreter, an ActiveX control (.ocx file) downloaded from Amazon Web Services.\r\nAt this point, TerraPreter begins beaconing to a Command \u0026 Control server (C2) via the rogue copy of msxsl. The\r\nbeacon signals that the more_eggs backdoor is ready for Golden Chicken’s customer to log in and begin carrying\r\nout their goal, whether it is to infect the victim with additional malware, such as ransomware, or to get a foothold\r\ninto the victim’s network so as to exfiltrate data. eSentire’s security analysts disrupted the operation, and the TRU\r\nbegan investigating.\r\nWhat Makes More_Eggs So Stealthy\r\nMore_eggs maintains a stealthy profile by abusing legitimate Windows processes and feeds those process\r\ninstructions via script files. Additionally, campaigns using the MaaS offering appear to be sparse and selective in\r\ncomparison to typical malspam distribution networks. Because of the stealth and spearphishing capabilities of the\r\nmore_eggs operation, the Golden Chickens threat group enjoys patronage from notable advanced threat groups,\r\nsuch as FIN6, Cobalt Group and Evilnum.\r\nWho is the Cybercriminal Gang Behind the Current LinkedIn Spearphishing\r\nActivity?\r\nThus far, the TRU team has not discovered forensics indicating the identity of the hacking group which is trying to\r\nspearphish the LinkedIn members. However, as mentioned, this malware-as a service has been used by three\r\nnotable threat groups: FIN6, Cobalt Group and Evilnum.\r\nWhat are the Hackers After?\r\nSince this spearphishing attack was disrupted, the TRU team cannot know with certainty what the end game is for\r\nthis incident. What we do know is that this current activity mirrors an eerily similar campaign which was reported\r\nin February 2019, where U.S. retail, entertainment and pharmaceutical companies, which offer online shopping,\r\nwere targeted. The threat actors went after employees of these companies with fake job offers, cleverly using the\r\njob title listed on their LinkedIn profiles, in their communications to the employees. Similar to the current\r\nincident, they also used malicious email attachments and if the target clicked on the attachment, they got hit by\r\nmore_eggs.\r\nConnection Between FIN6, Evilnum, Cobalt Group and More_Eggs\r\nhttps://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire\r\nPage 2 of 6\n\nFIN6- FIN6 is a financial cybercrime group that primarily steals payment card data and sells it on underground\r\nmarketplaces. The FIN6 group first gained notoriety in 2014 for their attacks against point- of- sale (POS)\r\nmachines in retail outlets and hospitality companies. Continuing their quest for credit and debit card data, they\r\nlater moved on to targeting e-Commerce companies and stole their credit card data via online skimming. The\r\nFIN6 threat group has also been known to infect some of their victims with ransomware.\r\nInterestingly, researchers reported in Feb. 2019 that FIN6 was specifically targeting numerous e-Commerce\r\ncompanies and using malicious documents to infect their targets with more_eggs as the initial phase of their\r\nattack. This could be the same campaign, which was reported in Feb. 2019 and which we previously mentioned---\r\nin which threat actors were observed attacking retail, entertainment and pharmaceutical companies’ online\r\npayments systems and using malicious documents, laden with more_eggs, to target the companies’ employees. Of\r\ncourse, it could be a separate campaign entirely. However, what we do know is that the targets (eCommerce\r\ncompanies) and tools (more_eggs) were used in both reported attack campaigns.\r\nLater that year, in August 2019, security researchers found that the FIN6 group began another malicious\r\ncampaign. The researchers believe the FIN6 threat actors were actively going after multinational organizations.\r\nSimilar to the current incident, FIN6 spearphished specific employees with fake job offers. If the targets fell for\r\nthe lure, they too were infected with the more_eggs backdoor.\r\nEvilnum- The Evilnum cybercrime group is best known for compromising financial technology companies,\r\ncompanies that provide stock trading platforms and tools. Their target is financial information about the targeted\r\nFINTECH companies and their customers. They target items such as spreadsheets and documents with customer\r\nlists, investments and trading operations and credentials for trading software/platforms and software.\r\nCoincidentally, the Evilnum group is also known to spearphish employees of the companies they are targeting and\r\nenclose malicious zip files. If executed, the employees get hit with the more_eggs backdoor, along with other\r\nmalware.\r\nCobalt Group- The Cobalt Group is also known to go after financial companies, and it has repeatedly used the\r\nmore_eggs backdoor in their attacks.\r\nWhat is the Victim’s Industry?\r\nThe LinkedIn member is in the healthcare technology sector.\r\nhttps://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire\r\nPage 3 of 6\n\nImage1: An outline of how the more_eggs backdoor behaves once it is initiated by the victim.\r\nhttps://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire\r\nPage 4 of 6\n\nImage 2: Word document which poses as an employment application which is served up to the business\r\nprofessional once they download the zip file which alleges to be a job offer.\r\nIndicators\r\nC2 beacon: d27qdop2sa027t.cloudfront[.]net\r\nDownload Server: ec2-13-58-146-177.us-east-2.compute.amazonaws[.]com\r\n.zip hash: 776c355a89d32157857113a49e516e74\r\nIpconfig: cmd /v /c ipconfig /all \u003e \"C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\64813.txt\" 2\u003e\u00261\r\nregsvr32 /s /u \"C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\\u003cREDACTED\u003e.ocx”\r\nsh = new ActiveXObject(\"Shell.Application\")\r\nsh.ShellExecute(\"msxsl.exe\", \"\u003cREDACTED\u003e.txt \u003cREDACTED\u003e.txt\", \"C:\\Users\\\r\n\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\\", \"\", 0)\r\nhttps://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire\r\nPage 5 of 6\n\nevlinum js: C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\57930.ocx\r\nTimelines\r\n[1] https://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/\r\n[2] https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nSource: https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire\r\nhttps://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire" ], "report_names": [ "hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434443, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/82a50da1e4ef5ced8a98dbbc5b5636b785fea6b5.pdf", "text": "https://archive.orkl.eu/82a50da1e4ef5ced8a98dbbc5b5636b785fea6b5.txt", "img": "https://archive.orkl.eu/82a50da1e4ef5ced8a98dbbc5b5636b785fea6b5.jpg" } }