{ "id": "694b3ba7-af3f-43d6-98ee-c4a3ce7f9620", "created_at": "2026-04-06T00:17:00.510478Z", "updated_at": "2026-04-10T03:36:08.296511Z", "deleted_at": null, "sha1_hash": "b51d66be60248583778758029eb155f676b1e77e", "title": "GOLDEN CHICKENS: Evolution of the MaaS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 798396, "plain_text": "GOLDEN CHICKENS: Evolution of the MaaS\r\nBy Allison Ebel\r\nPublished: 2020-07-20 · Archived: 2026-04-05 16:36:27 UTC\r\nLatest Golden Chickens MaaS Tools Updates and Observed Attacks\r\nExecutive Summary\r\nThroughout March and April, QuoIntelligence observed four attacks utilizing various tools from the\r\nGolden Chickens (GC) Malware-as-a-Service (MaaS) portfolio. We are now declassifying our findings for\r\nthe general public.\r\nOverall, we attribute the separately conducted campaigns with confidence varying from low to moderate to\r\nGC05, GC06.tmp, and FIN6.\r\nDuring our analysis of the attacks, we uncovered the GC MaaS Operator, Badbullzvenom, created new\r\nvariants of three existing tools in the service portfolio with notable code updates to TerraLoader,\r\nVenomLNK, and more_eggs.\r\nTerraLoader. A multipurpose loader written in PureBasic.\r\nUpdates – the new variant uses different string de/obfuscation, brute-forcing implementation, and\r\nanti-analysis techniques.\r\nVenomLNK. A Windows shortcut file likely generated by a newer version of the VenomKit building kit.\r\nUpdates – the new variant uses a new volume serial number, an evolved execution scheme, and only\r\nthe local path to the Windows command prompt.\r\nmore_eggs. A backdoor malware written in JavaScript (JS)\r\nUpdates – the new variant includes a minimum delay before executing or retrying an action, and\r\ncleans up memory after using it.\r\nIn April, we detected two new attacks sharing similar characteristics of previously observed attack activity\r\nattributed to FIN6 – a financially-motivated threat actor group. Based on our analysis of the new\r\ncampaigns, we assess attribution to FIN6 with low to moderate confidence.\r\nThe uncovered campaigns highlight that Badbullzvenom is still highly active in the business of its MaaS,\r\nand that FIN6 is still one of Badbullzvenom’s recurrent customers.\r\nIntroduction\r\nThroughout March and April, QuoIntelligence observed four attacks (i.e. sightings) utilizing various tools from\r\nthe Golden Chickens (GC) Malware-as-a-Service (MaaS) portfolio – we are now declassifying our findings, after\r\nfirst notifying clients on 22 May . Further, during our analysis of the sightings, we confirmed the GC MaaS\r\nOperator, Badbullzvenom, released improved variants with code updates to three tools in the service portfolio:\r\nTerraLoader. A multipurpose loader written in PureBasic. TerraLoader is a flagship product of GC MaaS\r\nservice portfolio.\r\nhttps://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\nPage 1 of 9\n\nmore_eggs. A backdoor malware capable of beaconing to a fixed command and control (C2) server and\r\nexecuting additional payloads downloaded from an external Web resource. The backdoor is written in\r\nJavaScript (JS).\r\nVenomLNK. A Windows shortcut file likely generated by a newer version of the VenomKit building kit.\r\nFigure 1: Timeline of sightings using various GC MaaS Tools during March \u0026 April 2020\r\nThe Golden Chickens\r\nSince 2018, QuoItelligence has tracked the evolution of the GC MaaS, the activities of its Operator\r\nBadbullzvenom, as well as the different threat actors using the MaaS – including top-tier, financially-motivated\r\nthreat actors such as FIN6 and the Cobalt Group. The GC MaaS remains as a preferred service provider for top-tier e-crime threat actor groups due to Badbullzvenom/the Operator’s consistent updates and improvements of\r\ntools and its ability to maintain underlying network infrastructure. Although GC tools have primarily been used to\r\ncompromise organizations in the retail and financial sector, one notable outlier includes a potentially targeted\r\nattack against a chemical company.\r\nTechnical Analysis\r\nLatest Sightings Related to GC MaaS\r\nThroughout March and April, QuoIntelligence has observed four sightings utilizing various tools from the GC\r\nMaaS portfolio. Overall, we attribute the separately conducted campaigns with confidence varying from low to\r\nmoderate to GC05, GC06.tmp, and FIN6. To clarify GC05 and GC06.tmp, we categorize the multiple GC MaaS\r\nclients as GCxx based on their overall motives, means, and opportunities. Additionally, we append .tmp to the GC\r\ncategorization to represent that we are investigating their exact singular attribution.\r\nSighting 1 GC06.tmp: Excel 4.0 Macro Sheet Used to Deliver GC MaaS Infection Chain\r\nOn 6 March, QuoIntelligence detected a new malicious Microsoft Excel document leading to the download of GC\r\nMaaS tools. Following our preliminary analysis, we confirmed the malicious document (maldoc) leads to an\r\nhttps://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\nPage 2 of 9\n\nattack kill-chain which entirely relies on GC MaaS tools. Based on our telemetry, we assess with moderate to high\r\nconfidence this targeted attack was against a large German chemical company.\r\nUpon further analysis, we do not attribute the maldoc to the GC MaaS toolset as it is clear the employed technique\r\nis a well-documented abuse of a legacy functionality in Microsoft Office known as Excel 4.0 Macro Sheet. The\r\nMacro Sheet was obviously adapted to use the downloaded .ocx file – the typical file extension of TerraLoader.\r\nFigure 2: Output of tools to parse Microsoft document OLE objects\r\nThe Macro Sheet contains formulas in cells to perform actions, including Run on open (Auto_Open) and execute\r\nshell commands and web requests. Once the document is opened, the Macro Sheet’s code is triggered, and it\r\ninitiates the infection routine to download and execute the next stage payload which is a TerraLoader variant.\r\nThe attack chain consists of multiple known GC tools which are:\r\nTerraLoader. A multipurpose loader, written in PureBasic. TerraLoader is essentially a flagship product of\r\nGC MaaS service portfolio.\r\nlite_more_eggs. A lite version of more_eggs used as a loader, written in JavaScript.\r\nmore_eggs. A backdoor malware capable of beaconing to a fixed command and control (C2) server and\r\nexecuting additional payloads downloaded from an external Web resource. The backdoor is written in\r\nJavaScript.\r\nTerraStealer. An information stealer (also known as SONE, StealerOne) written in PureBasic.\r\nFigure 3 – Kill-Chain of Sighting 1\r\nConsistent with our earlier observation, attacks relying on lite_more_eggs result in a variant of more_eggs\r\ndropped on the victim’s the system. In this case, neither TerraLoader nor more_eggs were digitally signed, and the\r\nobserved more_eggs variant version is the older “2.0b”.\r\nhttps://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\nPage 3 of 9\n\nFigure 4 – configuration of more_eggs delivered by the lite_more_eggs sample\r\nWe have observed three occurrences involving the same highlighted attack kill-chain of GC attributed tools,\r\nresulting specifically in the older “2.0b” variant of more_eggs. Although this activity is not distinct enough, we\r\nare temporally attributing these sightings to GC06.tmp.\r\nSighting 2 – GC05: A New Campaign with Familiar Tactics, Techniques, and Procedures (TTPs)\r\nOn 10 April, QuoIntelligence detected a new VenomLNK variant. The VenomLNK file is contained within a Zip\r\narchive; both themed as a financial document, and likely delivered to a targeted user as an email attachment or\r\nlink. While the observed filenames indicate the exploitation of a financial theme, we cannot confirm the\r\nvictimology at this time.\r\nFigure 5 –Financial themed Zip archive and extracted VenomLNK variant\r\nThe attack’s kill-chain involves an obfuscated JS scriptlet dropping a TerraLoader variant and decoy Microsoft\r\nWord document. While the decoy document appears in the screen on the user’s system, the TerraLoader is running\r\nand dropping a more_eggs variant. Finally, the more_eggs delivers a final payload of the information-stealer\r\ntracked by QuoItelligence as TerraStealer, two tools already attributed to the GC MaaS.\r\nhttps://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\nPage 4 of 9\n\nFigure 6 –Sighting 2 – Kill-Chain\r\nPivoting on our initial sample, we obtained additional VenomLNK files which are all similar except for the C2\r\nURLs and contain slight modifications from earlier known variants. Further, we determined that our initial\r\nsighting was part of a campaign which likely began on 11 March through 14 April. Based on our observations, the\r\ncampaign aligns with activities and TTPs we previously attributed to GC05; a threat actor we have tracked since\r\nSeptember 2019 who leverages the GC MaaS extensively, especially VenomLNK, more_eggs, and TerraStealer.\r\nFIN6: A Familiar and Returning GC MaaS Customer\r\nIn April, we processed two sightings of attacks sharing similar characteristics of previously observed activity\r\nattributed to the financially-motivated threat actor group known as FIN6. Since 2018, QuoIntelligence was able to\r\nattribute with high confidence the use of GC MaaS tools such as more_eggs, TerraLoader, and TerraTV to FIN6\r\ncampaigns. Based on our analysis of the new campaigns, it is evident that FIN6 remains a customer of the GC\r\nMaaS. Although FIN6 is known to primarily target the financial and retail sectors, we cannot confirm the\r\nvictimology of these campaigns at this time.\r\nSighting 3 – ‘Fake Job’ Spearphishing Delivering VenomLNK\r\nOn 8 April, we became aware of a new variant of VenomLNK and its original Zip archive. Both filenames aligned\r\nwith the theme for the known fake job campaign attributed to FIN6, by both researchers at IBM-X Force and\r\nProofpoint, conducted since at least the middle of 2018. The original Zip archive, named assistant_buyer.zip,\r\ncontained the VenomLNK variant named Job Offering.lnk. During analysis, the C2 URL was not serving the next\r\nstage payload of the kill-chain. Based on our telemtry, the first alleged execution of the attack occurred on 7 and 8\r\nApril, suggesting the sighting was likely part of new activity. However, due to lack of further pieces of evidence\r\non the kill-chain, we currently attribute the sighting to FIN6 with low confidence.\r\nSighting 4 – TerraLoader Directly Injecting Metasploit’s Meterpreter\r\nOn 27 April, QuoIntelligence detected a new variant of TerraLoader having a modified payload delivery\r\nmechanism which decrypts the included payload (shellcode) and loads it directly into memory. During analysis,\r\nwe identified two DLLs in memory – one very likely OpenSSL and the other highly likely Meterpreter, which is a\r\nfull-featured backdoor. The Meterpreter uses HTTPS to callback to an attacker-controlled asset. Further aligning\r\nwith the detection timeframe, the TerraLoader variant included a kill-switch of year 2020 – a feature that disallows\r\nthe execution of a malware sample beyond a hardcoded date, time, or year value. As we have already noted, the\r\nkill-switch is a common feature of the Operator’s arsenal aimed at enforcing his own licensing with his customers.\r\nhttps://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\nPage 5 of 9\n\nFigure 7 –Sighting 4 – TerraLoader direct memory injection\r\nPreviously in April 2019, we identified FIN6 as the only GC MaaS customer using a variation of the approach\r\ndescribed above. Further to the attribution of the April 2019 case, the involved C2 domain, registered in January\r\n2019,  is also a domain we observed in attack activity we already attributed earlier, with high confidence to FIN6.\r\nIn April 2020, we detected another attack with the same approach from 2019. The activity of all three cases are\r\ndescribed as follows:\r\nApril 2019: Involves initially generating an apparent stager executable, likely with Metasploit tools, for\r\nuse by TerraLoader to inject into another process and download Meterpreter.\r\nApril 2020: Similarly, this activity involves a generated stager executable used by TerraLoader to inject\r\ninto another process (wermgr.exe) and download the next stage payload, which is a Meterpreter.\r\nFigure 8 – April 2019 \u0026 2020 – TerraLoader process injection\r\nApril 2020: Differently, this activity involves TerraLoader loading obfuscated shellcode directly into the\r\nmemory of itself, already including the Meterpreter payload, and executing it. Both TerraLoader variants\r\ndetected in April included a kill-switch of year 2020, indicating recent or ongoing activity.\r\nA reasonable hypothesis for the new approach of using obfuscated shellcode, instead of injecting into another\r\nprocess, could likely be to increase stealth and evade detection by security solutions such as Anti-Virus. As such,\r\nTerraLoader is known to be fully undetectable, so decrypting and executing code within the same memory space\r\nwill increase the likelihood of being undetected by most Anti-Virus solutions.\r\nGC MaaS Toolset Updates\r\nTerraLoader\r\nhttps://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\nPage 6 of 9\n\nThe TerraLoader variant observed in Sighting 2, spanning from 11 March to 14 April, contains some notable\r\nfeature changes, which we previously observed only twice in December 2019. The new variant uses a different\r\nstring de/obfuscation, brute-forcing implementation, and anti-analysis techniques.\r\nString de/obfuscation\r\nThe latest variants store strings RC4 (a stream cipher) encrypted as raw bytes and seems to entirely use the\r\nsame stream cipher for decryption. In early variants, deobfuscation was achieved through XOR-decryption\r\non strings stored as hex streams. \r\nBrute-forcing Implementation\r\nIn new variants, only the first half of the string encryption key is stored in the malware. The second half of\r\nthe string encryption key is brute-forced – calculated at runtime by counting up from zero until it is found.\r\nAs soon as the bruteforcing is able to decrypt a specific ciphertext to a specific plaintext, which are both\r\nstored in the malware, the key is successfully found.\r\nFrom an analysis perspective, earlier variants used XOR obfuscation which can be bypassed quickly,\r\nhowever, the latest variants use RC4 so the same bruteforce search for the actual key needs to be performed\r\nto successfully decrypt all strings.\r\nAnti-analysis Techniques\r\nChecks where in memory ntdll.dll (a Microsoft file that contains NT kernel functions) is loaded.\r\nChecks hash of executable (exe) name against a whitelist (pre-calculated hashes) including regsvr32.exe,\r\nusing ZwQueryInformationProcess.\r\nChecks hash of loaded DLLs against a blacklist. (pre-calculated hashes)\r\nCompares hash of Dynamic-link library (DLL) extension, expects .ocx, and exe name (expects\r\nregsvr32.exe) against pre-calculated hash values. To do so, Process Environment Block (PEB) is used to\r\nknow where a process exists in memory.\r\nUses NtQueryInformationProcess to check if a debugger is present on the system.\r\nDynamic function address resolution continues to perform lookup by hash (CRC32), but additionally uses\r\nan XOR value to make direct hash value comparison impractical.\r\nmore_eggs\r\nOn 29 April, we detected a new variant of TerraLoader which contains a msxml.exe (a Windows command line\r\nutility that invokes the Microsoft XML Parser for transformation) and new more_eggs version, “6.6b”, embedded\r\nin its .data section.\r\nhttps://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\nPage 7 of 9\n\nFigure 9 – more_eggs configuration of the latest variant\r\nThe latest variant of more_eggs is 6.6b, one iteration above the last known version “6.6a”, was observed during\r\nthe campaign from 11 March through 14 April. Besides the typical customized more_eggs configuration variables\r\n(version number BV, C2 address Gate, and part of the ciphering key used to encrypt C2 communications, Rkey),\r\nthe latest variant contains two notable main code changes:\r\nIntroduces minimum delay before executing or retrying an action.\r\nAttempts to cleanup memory by assigning empty values to variables after using them. In general, it is not\r\nclear how effective this approach is in JavaScript; however, this does at least hinder a JavaScript debugger.\r\nVenomLNK\r\nSighting 3 utilized an updated variant of VenomLNK as an initial attack vector in a targeted campaign. We have\r\nobserved VenomLNK used in various campaigns involving different infection chains.\r\nMetadata analysis of the LNK file allows key information to be extracted about the direct link to another file and\r\nthe execution process. In general, LNK files have a small file size but contain valuable information such as\r\nshortcut target file, file location and name, and the program that opens the target file.\r\nThe VenomLNK files obtained from the campaign were all similar and contain slight modifications from earlier\r\nknown samples which are:\r\nUses a new volume serial number: 0xcae82342. The Serial Number is dependent of the hard drive the LNK\r\nfile was created on.\r\nEvolution of the execution scheme: /v /c set “z1=times”. The command line input places the first variable\r\nin double quotes, which can often break detection-based security solutions.\r\nOnly uses the Local Path (C:\\Windows\\System32\\cmd.exe) to the Windows command prompt, dissimilar\r\nfrom earlier variant which also included the Relative Path (……..\\Windows\\System32\\cmd.exe)\r\nConclusion\r\nThe GC MaaS continues to offer a versatile catalog of attack tools and underlying C2 infrastructure to fulfill the\r\nentire attack kill-chain. The Operator continues to regularly evolve and improve the toolset within his service\r\nportfolio, and adapt new techniques over time, such as in the campaign leveraging TerraLoader to directly inject a\r\nhttps://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\nPage 8 of 9\n\npayload into memory. We expect the MaaS will continue to prove its success and profitability, through at least its\r\nreturning customers and the known top-tier e-crime threat actors who have utilized the available services. \r\nSource: https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\nhttps://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/" ], "report_names": [ "golden-chickens-evolution-of-the-maas" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434620, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b51d66be60248583778758029eb155f676b1e77e.pdf", "text": "https://archive.orkl.eu/b51d66be60248583778758029eb155f676b1e77e.txt", "img": "https://archive.orkl.eu/b51d66be60248583778758029eb155f676b1e77e.jpg" } }