{ "id": "3a758db8-b2d5-4244-8ae2-be5769e5fe8b", "created_at": "2026-04-06T00:19:01.935118Z", "updated_at": "2026-04-10T03:36:50.319696Z", "deleted_at": null, "sha1_hash": "e42c31524685c3b4a1b4613c293fdb7145943d21", "title": "The Hunt for VENOM SPIDER PART 2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7246108, "plain_text": "The Hunt for VENOM SPIDER PART 2\r\nArchived: 2026-04-05 16:40:52 UTC\r\nTracking the Real Mastermind Behind the Cyber Weapon of Choice for Two of Russia’s Most\r\nNotorious Internet Crime Gangs\r\nby Joe Stewart and Keegan Keplinger,\r\nSecurity Researchers with eSentire's Threat Response Unit (TRU)\r\nExecutive Summary\r\nFor the past 21 months, eSentire’s security research team, the Threat Response Unit (TRU), has been tracking,\r\nanalyzing, and defending its customers from one of the most capable and stealthy malware suites—Golden\r\nChickens. Golden Chickens is operated as a Malware-as-a-Service (MaaS), and it is the “cyber weapon of choice”\r\nfor two of the longest-running and notorious financial crime groups: Russia-based FIN6 and Cobalt Group. The\r\ntwo criminal operations are estimated to have collectively caused financial losses over USD $1.4 Billion.\r\nAre Golden Chickens attacks still occurring? Is the MaaS still a threat?\r\nAccording to eSentire, TRU saw cyberattacks using the Golden Chickens MaaS throughout 2022 and into January\r\nof 2023. During that time, TRU detected and shut down nine separate Golden Chickens incidents and there were\r\ntwo additional failed Golden Chickens attacks. The eleven companies targeted in these incidents represent e-https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 1 of 30\n\ncommerce companies and service firms, and all of them have online payment systems. They include companies\r\nand organizations in the following industries: accounting, aviation parts sales, legal firms, workforce solutions,\r\ninsurance, energy providers, food suppliers and building suppliers. Interestingly, during the first week of May\r\n2023, TRU found that two identical samples of the Golden Chickens VenomLNK component were uploaded to\r\nVirusTotal. One sample was uploaded from the Ukraine, and one was uploaded from the U.S. This might indicate\r\nan attempt by threat actors to launch a new attack campaign or it might indicate testing by the threat actors.\r\nAlthough in the past, the malware has primarily been used to steal credit cards, debit cards, and banking\r\ncredentials, there is nothing to say that the Golden Chickens operator wont’ bring on a new customer, whose sole\r\nobjective is to infect victims with ransomware. As we saw with the ransomware attack, which crippled the UK’s\r\nRoyal Mail service and the attack that hit Canada’s Hospital for Sick Children, if a customer of Golden Chickens\r\ndecides to use this malware primarily to spread ransomware or destructive malware, Golden Chickens will cause\r\nfar much danger than the theft of payment cards and banking credentials.\r\nOn August 11, 2022, TRU revealed in its security report: Unmasking VENOM SPIDER – The Hacker Behind the\r\nCyber Weapon of Choice for Two of Russia’s Most Notorious Internet Crime Gangs that it had discovered the\r\nidentity of one of the threat actors behind Golden Chickens. The threat actor self identifies as “Chuck from\r\nMontreal”. He operates an account on the Russian-language forum, Exploit.in, under the name “badbullzvenom”\r\nand is referred to as VENOM SPIDER by CrowdStrike researchers.\r\nTRU also revealed in the report that “Chuck from Montreal” is just one of two criminals operating the\r\nbadbullzvenom and badbullz accounts, leaving cyber experts wondering who is the other threat actor, using these\r\naccounts, and running the Golden Chickens MaaS? For five months, TRU sifted through hundreds of forum chats\r\nfrom different threat actors , some going back to 2008, so as to answer this question. TRU has found the answer.\r\nThis new report, Part 2, tracks the identity of the true mastermind behind Golden Chickens, and it outlines, in\r\nmeticulous detail, how his identity was discovered. eSentire is partnering with law enforcement based on the\r\ninformation gathered, thus we are not currently providing his aliases and the names of the various malware he has\r\ndeveloped. As such, we have assigned Venom Spider the code name: “Jack.”\r\nKey Findings\r\nTRU discovered the second threat actor behind Golden Chickens self identifies as “Jack” and was born in a\r\nsmall Romanian town called Mizil\r\nTRU tracked “Jack’s” Internet activities going back to 2008, when he was 15\r\n“Jack” seems to have picked up coding at an early age, although TRU could find no evidence of any formal\r\neducation. Since age 15, “Jack” has displayed a strong interest in developing malware and tools to assist in\r\ncybercrime\r\n“Jack” has a short fuse. As early as 19, “Jack” had already gained a reputation as a “Ripper/Scammer”\r\nIn July 2022, “Jack” has a $200,000 bounty placed on his head, on Exploit.in, by a threat actor who\r\naccuses him of stealing $1 million dollars from him\r\nLike “Chuck from Montreal”, “Jack” uses multiple aliases on forums, social media, and Jabber accounts,\r\nand goes to great lengths to disguise himself\r\nThreat Actor Career Timeline\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 2 of 30\n\nConclusion\r\nTRU has discovered “Jack’s” real name, as well as his wife, sisters, and mother. TRU has found pictures of him\r\nand his family members, the city in which he lives, where he likes to vacation, the business he purports to run, and\r\nthat he and his wife enjoy traveling to the major cities in Europe.\r\nTRU found that “Jack” is considered, by many of his customers, to be a “Scammer” so much so that in July 2022,\r\na cybercriminal going by the alias “babay” went on a Russian forum, Exploit.in, and issued a bounty in the\r\namount of $200,000 for information leading to “Jack’s” real identity.\r\nLike “Chuck from Montreal”, “Jack” uses multiple aliases for the underground forums, social media, and Jabber\r\naccounts, and he too has gone to great lengths to disguise himself. TRU also discovered that “Jack” has taken\r\ngreat pains to obfuscate the Golden Chickens malware, trying to make it undetectable by most AV companies, and\r\nstrictly allowing only a small number of customers to buy access to the Golden Chickens MaaS. Also, his malware\r\nmust only be used for targeted attacks.\r\nBecause of eSentire’s investigation, “Jack”, like “Chuck”, has lost his anonymity. TRU also continues to track any\r\nupdates in the Golden Chickens source code and discover new Golden Chickens attack campaigns. TRU expects\r\nto see further targeted attacks, leveraging this malware, being launched against e-commerce companies and other\r\norganizations with payment systems in the foreseeable future.\r\nIt is rare to uncover this level of detail about two threat operators, and this report illustrates the breadth and\r\nexpertise of eSentire’s Threat Response Unit. This intelligence, including many of the underground forum\r\nconversations “Jack” and “Chuck from Montreal” had with other threat actors, has been extremely valuable.\r\nIt has helped TRU better decipher “Jack” and “Chuck from Montreal’s” Tactics, Techniques and Procedures\r\n(TTPs), as well as the actual origins of the Golden Chickens MaaS and its ongoing operations. With this\r\nknowledge, TRU continues to hone its defenses, protecting eSentire’s global customer base from well-orchestrated\r\nattacks utilizing the Golden Chickens MaaS.\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 3 of 30\n\nTRU’s objective with this report is to share their research with other security teams so that they can better defend\r\ntheir critical data from attacks using the Golden Chickens malware suite. Also, with the real identity of the Golden\r\nChickens author, law enforcement has an opportunity to make an arrest. This would interrupt the malware supply\r\nchain of top financial crime gangs, such as FIN6, Cobalt Group and others, and it would disrupt their business\r\nforcing them to find another malware source. The balance of this report includes:\r\nAn overview of how TRU discovered the alias of the second threat actor behind the Golden Chickens\r\nMaaS.\r\nA detailed account of the investigation and subsequent identification of the real man who created and\r\noperates the Golden Chickens MaaS.\r\nA unique look into the making of a hacker. Readers will see how the creator of one of the most\r\nsophisticated suites of malware progresses from a young, naïve teenager, interested in computers and\r\nmalicious software, to a young adult, writing password stealers and crypters, to a full-grown man who has\r\ncreated one of the most capable malware suites being used in cybercrime today. Readers will get a glimpse\r\ninto the personal and business side of a longtime hacker.\r\nInsights and security recommendations from TRU.\r\nFull Report\r\nFor the past 21 months, eSentire’s security research team, the Threat Response Unit (TRU), has been tracking,\r\nanalyzing, and defending its customers from one of the most capable and stealthy malware suites—Golden\r\nChickens. Golden Chickens is operated as a Malware-as-a-Service (MaaS), and it is the “cyber weapon of choice”\r\nfor two of the longest-running and notorious financial crime groups: Russia-based FIN6 and Cobalt Group (the\r\ntwo criminal operations are estimated to have collectively caused financial losses over USD $1.4 Billion).\r\nOn August 11, 2022, TRU revealed in its security report: Unmasking VENOM SPIDER – The Hacker Behind the\r\nCyber Weapon of Choice for Two of Russia’s Most Notorious Internet Crime Gangs that it had discovered the real\r\nidentity of one of the threat actors behind Golden Chickens. The threat actor self identifies as “Chuck from\r\nMontreal”. In fact, he does live in Montreal, Canada and operates various underground forum accounts, under the\r\naliases badbullz and badbullzvenom. This includes one on the Russian-language forum, Exploit.in, under the name\r\nbadbullzvenom. He is referred to by CrowdStrike researchers as VENOM SPIDER.\r\nTRU also revealed in the August report that “Chuck from Montreal” is just one of two cybercriminals operating\r\nthe badbullzvenom and badbullz accounts. One of the clues that led TRU to that conclusion is that they discovered\r\nin forum chats, two random mentions of the badbullzvenom account being shared between two people (See\r\nFigures 1 and 2).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 4 of 30\n\nFigure 1—A dispute thread in Exploit.in.\r\nFigure 2—EA post from badbullzvenom in the forum, Exploit.in\r\nIt wasn’t just the forum posts that made TRU skeptical about “Chuck from Montreal” being the actual developer\r\nof the Golden Chickens malware. Golden Chickens is a stealthy, highly functional suite of malicious software.\r\nIn reviewing “Chuck from Montreal’s” chats, it did not appear that he had the interest nor the skills to create this\r\nsophisticated malware. In TRU’s opinion, he showed more interest in being a cash-out guy—a criminal that\r\nmonetizes stolen credit cards, debit cards, bank account data, etc.\r\nThus, remained the questions: who is the second threat actor operating the badbullzvenom account, and what part\r\ndoes he play in the Golden Chickens MaaS? TRU set out to find these answers. For the past five months, two\r\nresearchers with TRU: Joe Stewart and Keegan Keplinger have sifted through hundreds of chats, many from\r\nleaked forum databases, so as to answer this question. Not only did they discover the identity of the second\r\nthreat actor, they also found which city he is currently living, the name of his wife, the business he purports to run,\r\nvarious vacations he has taken, and that he self identifies as “Jack.”\r\nTRU has been able to build a picture of “Jack’s” progression from a young, naïve teenager, interested in\r\ncomputers and malicious software, to a young adult, writing password stealers and crypters, to a full-grown man\r\nwho has created one of the most capable malware suites being used in cybercrime today.\r\n“Jack” starts out as a teenager by writing simple software code. As his skills improved, he began building simple\r\npassword stealers. TRU then sees him progress to the point where he can make crypters (software that is used to\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 5 of 30\n\nencrypt, obfuscate, and manipulate malware, so it can slip by anti-virus and anti-malware undetected). Moving on\r\nfrom making crypters, TRU saw him create a malicious document builder. “Jack” used his past knowledge to\r\nslowly add more malware modules to his malicious document builder, such as a JavaScript backdoor and a\r\npassword stealer. He finally puts all of his knowledge together, and his Golden Chickens MaaS comes out in 2017.\r\nAll roads lead to Jack\r\nWhen first tracking “Jack,” TRU had only one lead to go on in their quest to discover the identity of the second\r\nthreat actor behind badbullzvenom. Sifting through every underground chat TRU could find from badbullz and\r\nbadbullzvenom, they finally came across a 2013 post in the forum Lampeduza, where badbullz was trying to sell\r\ncredentials for a Canadian bank-issued credit card that had a balance of $13,000. To contact him privately,\r\nbadbullz provided a jabber account TRU had not seen previously (Figure 3).\r\nNote: eSentire is partnering with law enforcement, based on the information gathered, and as such we are not\r\ncurrently providing the jabber accounts or “Jack’s” aliases, email addresses, and the names of the various malware\r\n“Jack” has developed. TRU is substituting “Jack’s” aliases for the code word LUCKY.\r\nFigure 3—A 2013 post in Lampeduza forum where badbullz is trying to sell stolen credentials for a\r\ncredit card account, issued by a Canadian bank, with a $13,000 available balance. Badbullz\r\nprovides a jabber i.d. TRU had never seen before.\r\nWith this small lead, TRU began combing through hundreds of chats on underground forums, looking for that\r\nunique jabber account. They finally came upon a thread in the popular Russian hacker forum, Verified, where a\r\nthreat actor going by the alias LUCKY, used the Jabber address (See Figures 4 and 5).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 6 of 30\n\nFigure 4—A chat on Verified, a popular Russian hacker forum, where threat actor LUCKY uses the\r\nsame jabber account as badbullzvenom.\r\nFigure 5—The continuation of a chat on Verified, a popular Russian hacker forum, where threat\r\nactor LUCKY uses the same jabber account as badbullzvenom\r\nWho is LUCKY and how is he connected to \"Chuck from Montreal?\" and the Golden Chickens\r\nMaaS?\r\nThe first question TRU asked themselves is “Who is this LUCKY and how is he connected with ‘Chuck from\r\nMontreal'?” It was the seemingly insignificant discovery of an account going by the alias, LUCKY, that was to\r\nbreak the investigation wide open.\r\nTracking LUCKY\r\nWith this clue, TRU immediately began combing the hacker forums for any chats attributed to LUCKY.\r\nThe first forum posts TRU found were from 2008, when LUCKY was 15 years old. TRU was able to learn\r\nLUCKY’s date of birth because he entered it into various forums when registering to become a member. He also\r\nrevealed his age in some of the chats and the date matches what he entered into the forums. One of these forums\r\nwas the Romanian Security Team (RST), and it was in the RST forum that TRU also found that LUCKY used two\r\nadditional aliases, all very similar. The RST has a large following from residents of Romania who are interested in\r\ncybersecurity. The forum includes white hats and black hats. LUCKY’s posts in the forum portray him as a\r\nnovice. However, from the chats, one can tell that he is very interested in learning how malware works, and he is\r\nintent on trying to establish a reputation for himself (See Figure 6).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 7 of 30\n\nFigure 6—References to LUCKY using two similar aliases.\r\nSometime between 2007 and 2008, LUCKY released a new malware tool. We have given it the codename Voyer.\r\nIt is designed to steal a victim’s Yahoo instant messages, which technically is not difficult if you already have\r\naccess to the victim’s PC. However, in late 2008 and early 2009, LUCKY’s technical skills appear to be\r\nimproving.\r\nHe comes out with another malware tool. It can intercept, and record keystrokes entered by the victim into any\r\ndesktop window, as well as send messages to the victim, via popup dialogs. TRU has given it the codename\r\nFlyCatcher. Additionally, it can perform some rudimentary actions to control the system such as logging out,\r\nrebooting, and shutting down (See Figure 7).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 8 of 30\n\nFigure 7—LUCKY promoting FlyCatcher on an underground forum, listing its various functionality.\r\nLUCKY seems to have picked up coding at an early age, although TRU could not find any evidence that LUCKY\r\nhad any formal education, and in fact, he said in one chat that he got out of school as soon as he could, making the\r\ncomment “I only go to school to drink my coffee.” Between 2009 and 2010, LUCKY proceeded to publish a new\r\npassword stealer that TRU is calling CON. LUCKY dedicated CON to an underground forum for which he was a\r\nmember. It appeared that LUCKY was paying homage to the forum, not only because he named his password\r\nstealer after it, but in a 2012 post, where he is promoting the stealer’s many attributes, he states it is: “produced for\r\nthe forum\".\r\nLUCKY does not seem to charge for the password stealer and according to the 2012 post, CON is capable of\r\nstealing website credentials saved in different web browsers, including Internet Explorer, Google Chrome, Mozilla\r\nFirefox, etc. LUCKY also claims the tool can steal messages and stored credentials from MSN Messenger and\r\nYahoo Messenger, as well as credentials for VPN and FTP applications installed on the victim’s computer (See\r\nFigure 8).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 9 of 30\n\nFigure 8—A 2012 underground forum post in which LUCKY describes the functionality of the tool,\r\nCON. He first released CON sometime between 2009 and 2010.\r\nYoung LUCKY begins upping his cyber skills\r\nBy the second half of 2009, LUCKY started upping his game. He released a crypter TRU has given the codename\r\nGHOST. A crypter is a type of software that can encrypt, obfuscate, and manipulate malware to make it harder for\r\nsecurity programs to detect the malware. Various forum posts reveal that LUCKY’s encryption tool was well\r\nreceived by the hacker community, spurring him on to add new enhancements.\r\nOne can also begin to get a sense of LUCKY’s personality, and that he has a sarcastic streak, demonstrated in the\r\nscreenshot where he is advertising his new crypter he states: “First of all, this crypter is the worst, please don’t buy\r\nit!” ( See Figure 9).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 10 of 30\n\nFigure 9—LUCKY established a website for his new crypter, GHOST, where he lists the crypter’s\r\nfunctionality, and he gives credit to fellow threat actors who have assisted him in its development\r\nand testing of the crypter.\r\nLUCKY suffers a heartbreaking loss\r\nIn 2010, when LUCKY was just 17, he suffered a heartbreaking loss. He wrote an email to his customers telling\r\nthem that, for the time being, he was ceasing development on GHOST because he was having a lot of trouble.\r\nLUCKY said, “I got many personal and financial problems in last month, like my father died about two weeks ago\r\nin one car accident, before 2 days i haved (sic) one car accident with no victims…and so on. Since then I lost my\r\nmotivation…”\r\nLUCKY went on to say in the email, “Everyone who will pay 15 usd will get next crypter for free, it will be\r\nnamed \u003e MENTOR(really). MENTOR will be dedicated to my father, maybe sounds crazy for you…but this is it.\r\nAnd last, sorry for all the problems I’ve caused to you because I didn’t updated (GHOST).” See Figure 10.\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 11 of 30\n\nFigure 10—The email LUCKY sends to his GHOST customers explaining that he has not made any\r\nnew updates to GHOST recently because he was experiencing many problems, including the sudden\r\ndeath of his father.\r\nDon't bite the hand that feeds you\r\nAfter LUCKY’s 2010 email alerting his customers about his father’s death, TRU saw nominal communications\r\nfrom LUCKY or about LUCKY until a post from a disgruntled client dated May 6, 2012. The client went by the\r\nalias “parkingcash.” Parkingcash said he had purchased the GHOST software in July 2011, and that LUCKY\r\nadvertised three months of customer support with the purchase. However, according to parkingcash, LUCKY\r\nignored his repeated requests for help.\r\nUpset, parkingcash posted his complaint about LUCKY on an underground forum called Open SC warning other\r\npotential buyers: “He never reply to me in three months…That is the way of how this sh_ _ treat with his client. It\r\nhappened a few months ago but I decided to post it here to make sure more people can see it, and do not buy\r\nanything from him, if you don’t want to be treated like this.” Parkingcash even went as far as to include\r\nscreenshots of the chats between he and LUCKY in the complaint (See Figure 11).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 12 of 30\n\nFigure 11—A customer of LUCKY, who goes by the alias “parkingcash” complains how he\r\npurchased [redacted] in July 2011 and LUCKY promised three months of support with the purchase.\r\nHowever, LUCKY did not provide the support and did not respond to parkingcash’s messages for\r\nthree months.\r\nParkingcash was not the only threat actor to complain about LUCKY. On February 28, 2012, a hacker going by\r\nthe alias “iskapo” complained to fellow hacker, “BlueCY,” that LUCKY not only ripped him off for $100, but he\r\nalso dodged all his messages. Iskapo wanted everyone to know that LUCKY was a Ripper. (See Figure 12).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 13 of 30\n\nFigure 12—LUCKY’s customer iskapo complains to fellow hacker BlueCy that LUCKY took his\r\n$100 , and LUCKY wouldn’t even respond to his messages.\r\nTRU finds other posts where threat actors are complaining about LUCKY, and they speculate that LUCKY\r\ndoesn’t have time for his clients because “he’s such a party boy,” and he “is always in the bars and clubs.” (See\r\nFigure 13).\r\nBy 2012, LUCKY would be 19 years old and could legally go to bars and clubs.\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 14 of 30\n\nFigure 13—Underground forum members speculate that LUCKY is too busy hanging out at bars\r\nand clubs to spend time taking care of the customers.\r\nUnfortunately, LUCKY’s reputation as a “Ripper” continues to grow, as evident by a post dated March 5, 2012, by\r\nyet another disgruntled customer going by the alias: “zIFuILILeTe.” He calls LUCKY “SCAMMER of the Year,”\r\nand he also tries to warn potential buyers to stay away from buying any tools from LUCKY. “Everybody before\r\nbuy this sh_ _ crypter read this…” “You don’t even care about your customers until your shtt got cracked…i see\r\nyou only like $$$.” Interestingly, LUCKY’s former disgruntled customer, iskapo, also chimes into zIFuILILeTe’s\r\nchat about LUCKY (See Figure 14).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 15 of 30\n\nFigure 14—Another disgruntled customer of LUCKY posts that LUCKY is the “Scammer of the\r\nYear” and warns everyone to read about his crypter before buying it.\r\nTrouble at work and at home\r\nBy the time April 2012 rolls around, it is evident that 19-year-old LUCKY has established a bad reputation for\r\nhimself, and from several other posts, it appears that LUCKY has other “big life problems” as he describes them.\r\nIn one chat, TRU sees LUCKY tell a friend he is thinking about moving to Pakistan. He says: “I have three trusted\r\nfriends here, and I will work for the Pakistan gov. I just need the papers, that’s all.” LUCKY goes on to say\r\n“Reason: big life problems…it’s a long story. Basically i need to go in any other country except Romania.” See\r\nFigure 15.\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 16 of 30\n\nFigure 15—LUCKY says to a forum member he might go to Pakistan to work for the government\r\nbecause he has big life problems, and he needs to go in any other country except Romania.\r\nTRU then finds LUCKY speaking to another threat actor, who goes by the alias: 1337 haxOr 3.- about his\r\npotential move to Pakistan. LUCKY appears to be fairly trusting of him because he discusses the possibility of\r\ngoing to work with the Pakistan government as a security specialist. In fact, he reveals to 1337 haxOr 3.- that he\r\nhas one crypter customer who works for the Pakistan government, and he tells him that what he will be doing\r\n“will be hidden” (See Figure 16).\r\nSome brief research into connections between LUCKY and Pakistan-sponsored cybercrime was explored by TRU,\r\nturning over some interesting coincidences (see more in the upcoming section titled: Does LUCKY run off to\r\nPakistan?).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 17 of 30\n\nFigure 16—LUCKY discusses with a fellow threat actor his plans to work for the Pakistan\r\ngovernment as a security specialist.\r\nWhatever LUCKY’s “big life problems” are it doesn’t seem like he is able to go to his family for help, as evident\r\nfrom a May 2012 discussion between LUCKY and his confidante-- 1337 haxOr 3.- . LUCKY tells him that his\r\nfather is dead and that he died in a car accident. He further confides in 1337 haxOr 3.- saying “my mother doesn’t\r\ncare about me…that is how she is. I’ve two little sisters and since that he forgot about me.” LUCKY clearly feels\r\nisolated from his family, especially since his Father died (See Figure 17).\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 18 of 30\n\nFigure 17—LUCKY confides in fellow threat actor 1337 haxOr 3.- that his father died in a car\r\naccident and that is Mother doesn’t care about him, not since his two younger sisters came along.\r\nBecause TRU was able to uncover LUCKY’s real name, the date and location of his birth, and that he lives in\r\nBucharest, Romania, TRU was able to confirm that LUCKY does indeed have two younger sisters and a Mother\r\nliving in Romania.\r\nOn December 28, 2012, there is a post on the Exploit.in forum in which LUCKY claims to have discovered and is\r\nsharing (for free) a NASA SQL server (See Figure18). Note: One will see in the Exploit.in post, that there is a\r\nmark directly through the name LUCKY and underneath is the word RIPPER. This is significant because if the\r\nadministrator of a forum gets repeated complaints about a forum member cheating and scamming his/her\r\nclients, then they will take the user’s profile (in this case LUCKY) and tag them as a RIPPER. In the Exploit.in\r\nforum, the user profiles are always displayed to the left of every post and once an Exploit.in forum user gets\r\ntagged as a RIPPER, no matter how old the post is, their user profile will always show them as a RIPPER.\r\nAlthough LUCKY did not get tagged as a RIPPPER on Exploit.in until 2014, all his previous posts display the\r\nRIPPER tag.\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 19 of 30\n\nFigure 18—LUCKY shares an exposed SQLserver owned by NASA on the Expoit.in forum.\r\nDoes LUCKY run off to Pakistan?\r\nAfter seeing posts from LUCKY, where he seems to speak seriously about leaving for Pakistan, TRU wonders if\r\nhe did go work for the government or for himself, developing and selling malware. It certainly seems plausible\r\nsince he has 1) racked up a host of disgruntled customers, who are spreading the word on the underground that he\r\nis a Scammer/a RIPPER, 2) he appears to have gotten himself into some real trouble, so much so that he is\r\ncontemplating leaving his home country, and 3) lastly, he believes that the only parent he has left, his Mother,\r\ndoesn’t care about him.\r\nIf LUCKY did go to Pakistan, there is an interesting coincidence. There is an Advanced Persistent Threat (APT)\r\ngroup called SideCopy. According to news reports they have been behind a number of attacks targeting the Indian\r\ndefense forces and military personnel. They were first observed by security researchers in 2019 and are believed\r\nto originate out of Pakistan.\r\nSecurity researchers contend that there is a tie between the SideCopy APT group and the APT group called\r\nTransparent Tribe, who were first observed in 2013. Transparent Tribe is also known for launching cyberattacks\r\nagainst India’s government and military, and as of late, has turned its attention to Afghanistan. Transparent Tribe is\r\nalso suspected of being out of Pakistan.\r\nCoincidentally, SideCopy’s 2019 campaign features some similar tactics that LUCKY was using during the same\r\ntime frame in what is now called his VenomLNK malware, an initial access vector of LUCKY’s current\r\nmore_eggs backdoor (the main component of LUCKY’s Golden Chickens malware suite). The similarities in\r\ntactics include the use of 1) a malicious LNK file, 2) a Decoy Document, and 3)copying trusted windows binaries\r\nout of the system32 folder and into a user folder where the malware can abuse them (See Figure19). TRU finds it\r\ninteresting that there are similar tactics, used by an APT group believed to be out of Pakistan, and malware that\r\nLUCKY has developed.\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 20 of 30\n\nFigure 19—An infection chain used by SideCopy APT bears some high-level similarity to earlier\r\nversions of VenomLNK.\r\nLUCKY emerges on the hacker scene under new aliases\r\nAs briefly touched upon at the beginning of this report, on October 4, 2013, TRU sees a post from the account\r\nbadbullz on the Lampeduza forum, where a Canadian bank issued credit card is being advertised. Initially, TRU\r\nbelieved that it was simply “Chuck from Montreal” peddling a credit card, after all he is based in Montreal. Plus,\r\nTRU already established in part 1 of the report that he likes to deal in stolen credit cards. However, upon further\r\ninspection, TRU sees that the contact information is different from any they had ever seen “Chuck from Montreal”\r\nuse for his badbullz accounts. The contact information was a jabber account TRU had never seen used by\r\nbadbullz.\r\nAt that moment, a light bulb went off. TRU knew there was a second threat actor running the badbullz accounts,\r\nthey just didn’t have any leads as to who that second threat actor might be. When they discover this new jabber\r\naccount, they think “this a small thread, but it is one we have to pull.” (See Figure 20).\r\nFigure 20—TRU sees for the first time, where the badbullz account, uses a jabber account they had\r\nnever seen before: as their contact information.\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 21 of 30\n\nFrom that point forward, TRU dug into every forum database they could get their hands on, whether they were\r\ndefunct or still operating. The amount of data that TRU culled through looking for this jabber ID equaled terabytes\r\nof data. After a couple of days — they found another instance of the jabber ID. They found a chat on the popular\r\nRussian forum, Verified, where a threat actor using the account name “LUCKY” was peddling Canadian traffic\r\nand his contact information just so happen to be the same as the jabber ID (See Figure 21).\r\nFigure 21—LUCKY selling access to hijacked computers located in Canada and asking interested\r\nparties to contact him at his jabber address.\r\nFrom there TRU dug in, and the hunt was on for LUCKY and everything TRU could find out about him: what role\r\nhe plays in the Golden Chickens MaaS, his real name, his life in cybercrime, how he is connected to “Chuck from\r\nMontreal”, his education, where he lives, etc.\r\n“Chuck from Montreal” meets LUCKY\r\nTRU believes that at some point, between the latter part of 2012 and October 2013, LUCKY met “Chuck from\r\nMontreal” on the underground, and LUCKY brokered a deal with Chuck. The agreement was that Chuck would\r\nallow LUCKY, along with himself, to post under his account “badbullz” and “badbullzvenom” on a number of\r\nforums.\r\nThis was very clever on LUCKY’s part, because by 2013 he was labeled a RIPPER and a SCAMMER on multiple\r\nforums. LUCKY needed an account that had a pre-established reputation. He needed one that would allow him to\r\ncontinue to do business on the forums, where he was no longer welcome, and “badbullz” and “badbullzvenom” fit\r\nthe bill.\r\nIt is not hard to imagine “Chuck from Montreal” and LUCKY crossing paths in the hacker underground around\r\n2013. As TRU revealed in part I of the Venom Spider report, Chuck was highly interested in Canadian-based\r\ncredit cards and bank account credentials for the top Canadian banks: TD, CIBC, Scotiabank, and BMO. TRU also\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 22 of 30\n\ndetailed in part 1that Chuck was a member of two underground carding forums: Carder.pro and Carder.su.\r\nAlthough they are currently defunct, they were two of the most popular carding forums on the underground.\r\nCarding forums are where buyers and sellers of stolen credit cards and debit cards, from around the world, connect\r\nwith one another in order to transact business.\r\nMeanwhile, from the previous examples in Figure 21 and 22, it is apparent that LUCKY is able to obtain account\r\ncredentials for credit cards issued from Canadian banks, and he has access to computers located in Canada for\r\nsale. Therefore, it is not surprising that “Chuck from Montreal” and LUCKY met one another. Note: In 2013,\r\nalthough LUCKY had already begun posting under the badbullz account in some forums, there were some\r\nexamples in 2014 where he continued to post under the LUCKY account. An example of this can be seen in Figure\r\n22. TRU believes these are forums where LUCKY has not been blackballed, yet.\r\nThe LUCKY accounts go inactive, while the badbullz and badbullzvenom accounts take on a new\r\nlife\r\nFor the threat actor behind the LUCKY accounts, 2015 was a milestone in several respects. This is the year he\r\nunveiled his new tool. TRU is calling it MULTIPLIER. TRU considers MULTIPLIER the beginning of what\r\nwould later become the infamous Golden Chickens MaaS. MULTIPLIER is a kit for building macros. Macros are\r\nsnippets of code that can be embedded into a Microsoft document and can execute malware. In the case of\r\nMULTIPLIER, the kit can be used to build macros for any type of Microsoft Office document: word, excel,\r\npowerpoint, etc. MULTIPLIER is thought by TRU to be the predecessor to the tool VenomKit.\r\nThis is also the year where one of LUCKY’s tools is not released under any LUCKY accounts, it is released under\r\na badbullzvenom account. TRU believes, with the release of MULTIPLIER, the threat actor behind the LUCKY\r\naccount ceases posting under this account or those that are similar, from this point forward. He only posts under\r\nthe accounts of badbullzvenom and badbullz. By using the badbullzvenom and badbullz accounts, and\r\nunbeknownst to forum members, he is essentially starting with a clean slate, and he can continue to build his\r\ncredibility under the account aliases: badbullz and badbullzvenom.\r\nWhile still selling his MULTIPLIER kit in 2015 and 2016, TRU observes badbullzvenom (aka: LUCKY)\r\ncontinuing to show interest in crypters and banking trojans. TRU also sees badbullzvenom (aka: LUCKY)\r\nbantering back and forth with other threat actors. Although he does give several fellow hackers a “thumbs up” for\r\nsome of their tools and malware, he continues making aggressive comments, showing that he has a short fuse and\r\ncan get aggressive in his comments. One of these included a statement where he tells one member of Exploit.in\r\n“to kill themselves, and he offers to pay for the bullet.”\r\nBadbullzvenom’s (aka: LUCKY) malware continually improves and the top cybercrime gangs\r\ntake notice\r\nBy 2017, badbullzvenom (aka: LUCKY) really began to hit his stride as a professional malware provider. He\r\ndebuts his newest tool, and he calls it \"Word 1-day doc builder,\" known today as VenomKit. Word 1-day doc\r\nbuilder is a kit for building malicious Microsoft Word documents. Badbullzvenom (aka: LUCKY ) accumulates\r\ncustomers quickly for his new malware and continues making improvements. He adds new features and\r\neventually removes PowerShell from the kit to reduce detection by anti-malware and antivirus products. He also\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 23 of 30\n\nadds .dll support for the payloads and a JS Downloader (this is likely the predecessor to the TerraLoader\r\ncomponent of the Golden Chickens malware suite) to the Word 1-day doc builder kit. It is offered for sale as an\r\nadd-on.\r\nBadbullzvenom (aka: LUCKY) continued developing additional malware to work alongside his Word 1-day doc\r\nbuilder until he finally established a stealthy, highly functional, all-in-one suite of malware. It consists of various\r\ncomponents that threat actors can select for their objectives. It is currently known as the Golden Chickens MaaS.\r\nAll of badbullzvenom’s development work paid off because according to security reports, in 2017 his malware\r\ncaught the attention of a customer that wasn’t just any run-of-the-mill hacker. It was a threat group considered to\r\nbe one of the most infamous financial crime groups in existence. It is Russia-based Cobalt Group. Cobalt Group is\r\nsaid to have caused the financial industry over a billion dollars in cumulative losses. Their crime spree includes\r\nthe targeting of 100 financial institutions in more than 40 countries worldwide, allowing the criminals to steal\r\nmore than US$11 million per heist.\r\nSecurity experts assert that in 2017 the Cobalt Group used badbullzvenom’s (aka: LUCKY) VenomKit to deploy\r\nCobalt Strike in attacks on banks – and then they used it again in 2018. Cobalt Strike is a common tool used by\r\nthreat actors to gain a foothold in an organization’s IT network and then further expand their access.\r\nThe Cobalt Group was not the only crime syndicate to take notice of badbullzvenom’s (aka: LUCKY) Golden\r\nChickens malware suite. It also attracted the likes of top financial crime group, FIN6, who is also based out of\r\nRussia. They are known as one of the most notorious hacking gangs in the world of cybercrime. They dominated\r\nnews headlines in 2018 when they were cited as being the cyber group who broke into the online payment systems\r\nof British Airways, Ticketmaster UK and top electronic retailer, Newegg, stealing credit and debit card data from\r\nmillions of customers. Conservatively, security firm Trellix estimated that in one of their campaigns FIN6 stole 20\r\nmillion payment cards worth US$400 million.\r\nIt was in 2019 that FIN6 was first observed using the Golden Chickens MaaS (previously referred to as\r\nmore_eggs) in an attack campaign involving “employment lures.” However, this would certainly not be the last\r\ncyber campaign involving Golden Chickens and “employment lures.”\r\nIn 2019, security researchers also saw the PureLocker ransomware plugin emerge as a component of the Golden\r\nChickens offering. It was being used in targeted attacks against workstations and production servers running\r\nWindows and Linux. PureLocker takes its name from the language used to author it: PureBasic. Interestingly,\r\nLUCKY has demonstrated knowledge of, and a preference for PureBasic in online discussions.\r\nThe Golden Chickens MaaS is alive and well\r\nIn April 2021, TRU detected a significant Golden Chickens campaign, and almost exactly one year later, they\r\nuncovered a second round of attacks involving the Golden Chickens malware. Barely two months after that, in\r\nJuly 2022, TRU spotted a third campaign.\r\nInterestingly, all three Golden Chickens campaigns involved employment lures. Either the campaigns targeted\r\ncorporate employees on LinkedIn, using fake job offers, laden with malware, or they targeted corporate hiring\r\nmanagers with fake resumes of job applicants, laden with malware. The campaign that kicked off in November\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 24 of 30\n\n2022 has continued with TRU detecting and shutting down the most recent Golden Chickens attack in January\r\n2023. In this campaign, TRU saw that the malware is being used to go after e-Commerce companies, in addition\r\nto service companies—and all of them have online payment systems. Ironically, in FIN6’s 2019 Golden Chickens\r\ncampaign, they also used employment lures and went after e-Commerce companies, being that it is a favorite\r\ntarget of the financial crime group, having had so much success in compromising British Airways, Newegg,\r\nTicketmaster and countless others.\r\nNote: Interestingly, during the first week of May 2023, TRU found that two identical samples of the Golden\r\nChickens VenomLNK component were uploaded to VirusTotal. One sample was uploaded from the Ukraine, and\r\none was uploaded from the U.S. This might indicate an attempt by threat actors to launch a new Golden Chickens\r\nattack campaign or it might indicate testing by the threat actors.\r\nThe Golden Rule of Golden Chickens: “Mass spamming is not allowed. You spam, You banned.\r\nSimple.”\r\nOne might think that three malware campaigns in twenty-one months isn’t significant. However, the infrequency\r\nand the specific targeting of the Golden Chickens campaigns is very intentional by the threat actors operating the\r\nattacks and the creator of the malware, badbullzvenom (aka: LUCKY).\r\nIn fact, in one post from badbullzvenom (aka: LUCKY) in Exploit.in, he bans a customer called Black Angus\r\nbecause he found a sample of his Golden Chickens malware in VirusTotal. Badbullzvenom tells Black Angus in\r\nno uncertain terms “Mass spam is not allowed. If hash is found in virustotal in less than four days, then you get\r\nbanned (no rebuilds possible).” He continues with: “You broke the terms \u003eYou are banned. simple.” He ends with\r\n“my softwares aren’t for you, you don’t do targeted attacks.” See Figure 22.\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 25 of 30\n\nFigure 22—Exploit.in reply to dispute thread. badbullzvenom drops Black Angus as a customer for\r\nbreaking his rules and shuts down his access.\r\nFollowing the Gravatar link and discovering the man behind LUCKY (aka: Jack, badbullz,\r\nbadbullzvenom) and the creator of Golden Chickens?\r\nSo, who is the real man behind the LUCKY accounts, who self-identifies as “Jack” and who has been posting\r\nunder the badbullz and badbullzvenom accounts since 2013? Who is the real creator of Golden Chickens and how\r\ndid TRU discover his identity?\r\nOnce TRU knew that the LUCKY identity was operating the badbullz and badbullzvenom accounts at times, they\r\nstarted searching for any other related forum or social media accounts using that name or emails connected to that\r\nalias. TRU discovered a Gravatar account belonging to one of the email addresses LUCKY had used to register for\r\nseveral forums. Gravatar is a web service that lets users upload an online avatar and will associate the avatar with\r\ntheir email address.\r\nAlthough Gravatar obfuscates the email address of the account owner using MD5 hashes, it is often trivial to link\r\na Gravatar account to the owner’s email address simply by brute-force, generating the corresponding hashes of\r\nbillions of email addresses sourced from leaked email address lists circulating on the underground. Conversely,\r\nwhen searching Open-Source Intelligence (OSINT) sources for an email address, it is recommended to also search\r\nfor the MD5 hash of the email on Gravatar’s servers, because in many cases (including this one), the returned\r\nmetadata includes the full name of the account owner.\r\nOf course, this account could have been registered with a completely fake name, so it’s always important to get\r\nindependent confirmation of any such links. By searching for the term “LUCKY” in combination with the\r\nGravatar-revealed “name,” TRU located a comment dated 2013 from an anonymous tipster on a security blog,\r\nasserting that the name revealed by Gravatar was the real name of LUCKY.\r\nFrom here, TRU was able to locate the social media accounts of a Romanian citizen with the same name, whose\r\npersonal details matched those revealed by or leaked about LUCKY, such as his location (Bucharest), hometown\r\n(Mizil) and living family members (mother and two younger sisters). Although “Jack” (aka: LUCKY,\r\nbadbullzvenom, badbullz) is quiet on social media, these accounts and their social networks allowed TRU to build\r\na picture of “Jack’s” personal life, his family, his lifestyle and his travel. TRU was also able to find that “Jack” is\r\nmarried, and he is listed as the owner of a vegetable and fruit import and export business. Further mining the\r\nsocial media accounts, TRU was able to locate an upscale area of Bucharest where they believe “Jack” and his\r\nwife reside.\r\nReaders, meet \"Jack\", the real creator of the Golden Chickens MaaS\r\n\"Jack” (LUCKY, badbullzvenom, badbullz) enjoys the good life\r\nFrom the various pictures on “Jack’s” (LUCKY, badbullzvenom, badbullz) wife’s social media accounts, it\r\nappears that “Jack” really started to find success in 2019. There are pictures of “Jack” and his wife in 2019\r\nvisiting many of the top cities in the world, including London, Paris, and Milan.\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 26 of 30\n\nIt also appears from the photos that they both enjoy designer clothing. In this photo, LUCKY is sporting a\r\ndesigner t-shirt from Dsqured2 which runs between USD $200 and $250 (See Figure 24). In a second photo,\r\nLUCKY and his wife toast champagne, with London in the background.\r\nShe is wearing what appears to be an authentic Valentino purse, which can retail for anywhere between USD\r\n$3,000 and $5,000 (See Figure 25).\r\nThe last photo is of LUCKY and his wife, perhaps on their honeymoon, wearing matching robes (See Figure 26).\r\nFigure 23—Jack, the creator of the Golden Chickens MaaS, at a coffee shop outside the\r\nManufaktura Mega Mall in Bucharest.\r\nA $200,000 bounty issued for badbullzvenom on July 18, 2022\r\nAlthough badbullzvenom (LUCKY) appears to have found success, his short temper and habit of\r\n“Scamming/Ripping” off his customers seemed to have reemerged and caught up with him.\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 27 of 30\n\nOn July 18, 2022, a threat actor going by “babay” went on Exploit.in and accused badbullzvenom of stealing $1\r\nmillion from him. Consequently, babay issued a $200,000 bounty for any information leading to badbullzvenom’s\r\nreal identity (See Figure27).\r\nFigure 27—A threat actor on Exploit.in accuses badbullzvenom of stealing $1 million from him and\r\noffers a $200,000 bounty for any information leading to his real identity\r\nThe translation of the complaint made by babay about badbullzvenom:\r\nThe total cost of the complaint $1,000,000.\r\nThe person scammed me, didn't complete his job, talk total nonsense. I can't contact him and he refuses to return\r\nthe money back. The situation is private, I sent the logs to the admin.\r\nFor the information that can lead to his deanonymization I will pay $200,000 through the guarantor.\"\r\nLUCKY’s fatal mistake\r\nThe threat actor who went by the alias LUCKY and who also shares the badbullz and badbullzvenom accounts\r\nwith the Montreal-based cybercriminal “Chuck,” made his fatal mistake when he used the jabber account. It was\r\nthis jabber ID which led TRU to discover the LUCKY account and subsequently the real threat actor behind\r\nLUCKY and partner to “Chuck from Montreal”.\r\n“We suppose that, like a lot of new hackers just starting out, LUCKY never imagined that in the future, security\r\nresearchers would gain access to countless leaked databases, enabling them to build a comprehensive history of a\r\nthreat actor’s public (and sometimes private) messages, online aliases, ICQ and Jabber ID’s, going back over 15\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 28 of 30\n\nyears. This turned out to be a fatal oversight for his operational security,” said Joe Stewart, Principal Security\r\nResearcher, TRU.\r\nThe significance of discovering the identity of the author and operator of the\r\nGolden Chickens MaaS\r\n1. Better Understanding of the Technical, Tactical, and Strategic Operations of the Golden Chickens\r\nService Offering–With this investigation, TRU was able to build an accurate picture of the Golden\r\nChickens malware author’s Techniques, Tactics and Procedures (TTPs). TRU uncovered specific details,\r\nfrom the author's public and sometimes private conversations, showing his progression from a young\r\nteenager interested in hacking tools to a professional malware provider.\r\nThroughout the course of this investigation, TRU was able to develop detections, track infrastructure, and\r\ngain context around the technical, tactical, and strategic operations of the Golden Chickens service\r\noffering. This alone makes attribution analysis valuable – even when it doesn’t lead to the identification of\r\ncybercriminals. It is often what you learn along the way that can have the most impact in the field.\r\nObserving firsthand the technical, social, and transactional nature of cybercrime gives rare insights into the\r\nmotivations and challenges threat actors come across and help to explain observations in the field that\r\notherwise can leave analysts scratching their head. These observations alone can help security defenders\r\nposition themselves against attacks.\r\n2. Disrupting the Cybercriminals’ Supply Chain–When attribution analysis is conducted and it leads to\r\nidentification, as in the case of Venom Spider, the impact to society becomes even more significant.\r\nHackers are real people with real problems – and a lifestyle of cybercrime is fraught with paranoia and\r\nanxiety, as is often conveyed in interviews with threat actors. A published attribution report can therefore\r\nact as a damping force on cybercrime activity, reducing business opportunities and forcing threat actors to\r\nbe more selective in future operations or quit the game all together. When the threat actor is a Malware-as-a-Service provider like Venom Spider, and suddenly he is no longer able to provide his malware service\r\nthis disrupts his customers’ business forcing them to find another malware source.\r\n3. Sociopsychology of Cybercrime–Investigations such as these, provide insight into the social psychology\r\nof cybercrime. Threat actors are, inevitably, human. They have human problems, and they require human\r\nconnection. This can have numerous repercussions for them as they make their way through the\r\nunderground markets in an attempt to establish a reputation. The death of a father can lead to a new version\r\nof malware, legal troubles can lead to a shift in business associates, and online disagreements and fights\r\ncan expose links between threat actors, their business associates, and the malware they develop or use (e.g.,\r\nbadbullzvenom). TRU contends the more security professionals know about their enemy, the better\r\nprepared they will be to defend their organization against their enemy, taking inspiration from the saying:\r\n“You Must Know Your Enemy, To Defeat Your Enemy.”\r\nConclusion\r\nTRU assesses with high confidence, given the evidence detailed in this report, that the threat actor who self-identifies as “Jack” is the key operator and creator of the Golden Chickens MaaS. TRU expects cyberattacks,\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 29 of 30\n\nusing the Golden Chickens MaaS, to continue in the first half of 2023. TRU is continuing to investigate the\r\nGolden Chickens operation and any other parties that may be involved.\r\nIt is TRU’s recommendation that organizations take the following steps to protect against the Golden\r\nChickens malware suite:\r\n1. Employ exhaustive endpoint monitoring for LOLBINs, aka Trusted Windows Binary abuse. LOLBINs of\r\ninterest include cmd.exe, wscript.exe, wmic.exe, cmstp.exe, msxsl.exe, powershell.exe, and ie4uinit.exe.\r\nEnsure endpoint products have rules in place to detect suspicious usage of these Windows processes.\r\n2. Ensure employees are aware of common phishing tactics:\r\n1. Be suspicious of attachments from people you don’t know – additional care is required in cases\r\nwhere you must accept documents from the public (such as with employee hiring process)\r\n2. Inspect attachment file types by right clicking the file and selecting properties\r\n3. Documents should never come as LNK, ISO, or VBS files\r\n4. Often, these malicious files will be enclosed in a .zip file to bypass email filters\r\n3. Have an easy process in place for reporting phishing and suspicious behavior.\r\n1. Leadership is responsible for ensuring a positive and convenient path is in place for reporting\r\nsuspicious behavior\r\n2. Develop a collaborative culture of cyber resiliency where employees are comfortable to bring\r\nforward questions, and even mistakes when it comes to email behavior and downloads. Punishing\r\nemployees for falling for phishing scams will reduce the chances that they – and other employees –\r\nreport them in the future.\r\n4. Engage Managed Detection and Response services for 24/7 Security Monitoring, Threat Hunting and\r\nThreat Containment expertise. The speed with which you can detect and contain a threat actor before they\r\nachieve their objectives is imperative in preventing business disruption.\r\nSource: https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nhttps://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2" ], "report_names": [ "the-hunt-for-venom-spider-part-2" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434741, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e42c31524685c3b4a1b4613c293fdb7145943d21.pdf", "text": "https://archive.orkl.eu/e42c31524685c3b4a1b4613c293fdb7145943d21.txt", "img": "https://archive.orkl.eu/e42c31524685c3b4a1b4613c293fdb7145943d21.jpg" } }