{ "id": "b1c79598-b113-41e4-844d-f6d69012600e", "created_at": "2026-04-06T00:16:18.074154Z", "updated_at": "2026-04-10T03:36:08.358695Z", "deleted_at": null, "sha1_hash": "e4f40d8baea1f9d41ce586acbe0100eacb36f83d", "title": "Unmasking VENOM SPIDER", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5993518, "plain_text": "Unmasking VENOM SPIDER\r\nArchived: 2026-04-05 16:19:31 UTC\r\nby Joe Stewart and Keegan Keplinger,\r\nSecurity Researchers with eSentire‘s Threat Response Unit (TRU)\r\nExecutive Summary\r\nFor the past 16 months, eSentire’s security research team, the Threat Response Unit (TRU), has been tracking one\r\nof the most capable and stealthy malware suites — Golden Chickens. Golden Chickens is the “cyber weapon of\r\nchoice” for three of the top money making, longest-running Internet crime groups: Russia-based FIN6 and Cobalt\r\nGroup and Belarus-based Evilnum. The three criminal operations are estimated to have collectively caused\r\nfinancial losses over USD $1.5 billion. This report unveils the identity of the threat actor behind Golden Chickens\r\n—who goes by badbullzvenom—and outlines how he was found.\r\nKey Findings\r\nWho is badbullzvenom? Reading through the history of the threat actor’s posts on the Russian-language hacker\r\nforum, Exploit.in, TRU found multiple mentions of the badbullzvenom account being shared between two people.\r\nFrom the posts, we learn the following about badbullzvenom:\r\nThey claim to be from Moldova\r\nThey speak Romanian, French, and English\r\nThey claim to work with Russia-based Cobalt Gang (this is also evident in public analysis of Golden\r\nChickens campaign IOCs)\r\nWho is “Frapstar” and what is his connection to badbullzvenom?\r\nNumerous other data points in the report connect a second threat actor, who goes by “Frapstar” and the username\r\nbadbullzvenom. He self-identifies as “Chuck from Montreal” – an alias. In addition to speaking French and\r\nhaving a keen interest in buying stolen Canadian credit card accounts, he says he owns a BMW 5 Series\r\nautomobile, which provides TRU with further leads into the identity of “Chuck”.\r\nConclusion\r\nTRU has discovered “Chuck’s” real name, pictures of him, his home address, the names of his parents, siblings,\r\nand friends; his social media accounts, his hobbies, and that he owns a small business, which he runs out of his\r\nhome.\r\n“Chuck”, who uses multiple aliases for his underground forum, social media, and Jabber accounts, and the threat\r\nactor claiming to be from Moldova, have gone to great lengths to disguise themselves. They have also taken great\r\npains to obfuscate the Golden Chickens malware, trying to make it undetectable by most AV companies, and\r\nlimiting customers to using Golden Chickens for ONLY targeted attacks. Because of eSentire’s investigation,\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 1 of 19\n\n“Chuck” has lost his anonymity. TRU also continues to track improvements in the Golden Chickens source code\r\nand discover new Golden Chickens attack campaigns, as recent as July, which tells us at least one threat actor is\r\nstill actively developing the product and selling it to other cybercriminals. We expect to see further targeted\r\nattacks, leveraging this malware, being launched against financial institutions and other organizations in the\r\nforeseeable future.\r\nIntroduction\r\neSentire is a leading global provider of Managed Detection and Response security services. For the past 16\r\nmonths, our security research team, the Threat Response Unit (TRU), has been tracking, analyzing, and defending\r\nour customers from one of the most capable and stealthy malware suites on the Cyber Underground – Golden\r\nChickens. Golden Chickens is the “cyber weapon of choice” for three of the top money making and longest-running Internet crime groups: Russia-based FIN6 and Cobalt Group and Belarus-based Evilnum. The three\r\ncybercrime operations are estimated to have collectively caused financial losses over USD $1.5 billion.\r\nSince 2018, the Golden Chickens suite has been distributed as a Malware-as-a-Service (MaaS). Between April\r\n2021 and April 2022, TRU discovered two significant hacking campaigns utilizing Golden Chickens. During the\r\nApril 2021 incidents, TRU found corporate employees on LinkedIn being targeted by threat actors using fake job\r\noffers. One year later the April 2022 campaign uncovered by TRU demonstrated that the attack tactics were\r\nreversed, and corporate hiring managers were sent fake resumes, of job applicants, laden with malware.\r\nTRU continues to track the Golden Chickens malware, and not only have we detected a new threat campaign that\r\nappears to be targeting e-Commerce organizations, we have also discovered the identity of the threat\r\nactor/operator behind Golden Chickens. He is referred to by CrowdStrike researchers as VENOM SPIDER, and\r\nhe has been connected to the threat actor “badbullzvenom”.\r\nTRU has tracked many of badbullzvenom‘s Internet activities, going back as far as 2013. We have also discovered\r\nbadbullzvenom‘s birthdate, home address, his parents and siblings‘ names, friends‘ names, his hobbies, his social\r\nmedia accounts, and one of his side businesses.\r\nIt is rare to uncover this level of detail about a threat operator, and it illustrates the breadth and expertise of TRU.\r\nThis intelligence, including many of the Underground Forum conversations badbullzvenom has had with other\r\nthreat actors, has been extremely valuable. It has helped us better decipher his Tactics, Techniques and Procedures\r\n(TTPs), as well as the origins of the Golden Chickens MaaS and its ongoing operations. With this knowledge, we\r\ncontinue to hone our defenses, protecting eSentire’s global customer base from well-orchestrated attacks utilizing\r\nthe Golden Chickens MaaS.\r\nIt is our objective with this report to share our research with other organizations and their security teams so that\r\nthey might better defend their critical data and applications from threat actors mounting attack campaigns using\r\nthe Golden Chickens malware suite. The balance of this report includes:\r\nA brief overview of the FIN6, Cobalt Group and Evilnum cybercrime organizations\r\nA detailed account of the investigation and subsequent identification of the Golden Chickens MaaS\r\noperator\r\nAn analysis of the Golden Chickens malware and the current attack campaign\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 2 of 19\n\nInsights and security recommendations from TRU\r\nGolden Chickens‘ Connection to the Billion Dollar Hackers’ Club—FIN6, Cobalt Group and\r\nEvilnum\r\nFor those not familiar with FIN6, Cobalt Group and Evilnum, they are hands down three of the longest-running\r\nand successful financial crime gangs, and it is reported that cumulatively they have caused over USD $1.5 billion\r\nin losses.\r\nFIN6\r\nThis Russia-based, financial cybercrime group is known as one of the most notorious hacking gangs in the world\r\nof cybercrime. They dominated news headlines in 2018 when they were cited as being the cyber gang who broke\r\ninto the online payment systems of British Airways, Ticketmaster UK and top electronic retailer, Newegg, stealing\r\ncredit and debit card data from millions of customers, as well as stealing Personal Identifiable Information (PII)\r\nfrom British Airways’ customers and staff. British Airways concluded that during their cyber heist, the hackers\r\nsiphoned off credit and debit card data (also referred to as card-skimming),and personal data from 425,000 of their\r\ncustomers and staff. As a result, British Airways was slapped with a £20 million (USD $26 million) fine from the\r\nInformation Commissioner’s Office (ICO), a UK government watchdog group. The ICO determined that British\r\nAirways did not take the right precautions in protecting the sensitive data of its customers. However, the ICO fine\r\nwas not the end of the damage caused by the FIN6 breach of British Airways. On July 5, 2021, British Airways\r\nsettled a legal claim made by a group of the airline’s customers and staff, whose data had been leaked during the\r\nbreach. The settlement was kept confidential, and the airline agreed to pay compensation for qualifying claimants\r\nbut did not admit liability, according to news sources.\r\nThe number of customers affected by the Ticketmaster UK breach, at the hands of FIN6, numbered in the\r\nmillions. In fact, security experts estimate that the 2018 attack impacted 9.4 million customers. The UK ICO\r\ndetermined that the breach led directly to widespread fraud. As such, they levied a fine of £1.25 million on the\r\nticket agency stating that the corporation “failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page” – and this violated the E.U.’s General Data Protection\r\nRegulations (GDPR).\r\nAnd while top online electronics retailer Newegg couldn’t specify just how many of their customers’ credit and\r\ndebit cards were stolen, security reports found that the threat actors were inside Newegg’s IT network for a month\r\nbefore being detected, giving the cyberattackers a full 30 days to skim many of Newegg’s customers. Newegg is\r\nestimated to receive over 50 million visitors a month, according to Similarweb, a firm which collects information\r\non site visits.\r\nConservatively, security firm FireEye estimates that between 2016 and 2019, FIN6 is believed to have stolen 20\r\nmillion payment cards worth $400 million. The FIN6 gang first gained notoriety in 2014 for their attacks against\r\npoint-of-sale (POS) machines in retail outlets and hospitality companies , but as proven by their attacks against\r\nBritish Airways, Ticketmaster UK and Newegg in 2018, they wholeheartedly moved on to target online payment\r\nsystems of large e-Commerce companies.\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 3 of 19\n\nFIN6 attacks e-Commerce companies’ payment platforms with Golden Chickens in late 2018 \u0026 retail,\r\nentertainment and pharma companies’ payment portals attacked by Golden Chickens in early 2019.\r\nInterestingly, intelligence analysts with Visa reported that at the end of 2018, FIN6 was specifically targeting\r\nnumerous e-Commerce companies’ payment servers and using malicious documents to infect their targets with the\r\nmore_eggs component of the Golden Chickens malware, as the initial phase of their attack.\r\nThat activity mirrors another threat campaign that was reported separately in February 2019 by ProofPoint\r\nresearchers. In these incidents, threat actors were observed attacking retail, entertainment and pharmaceutical\r\ncompanies’ online payments systems and using malicious documents, laden with the more_eggs component of\r\nGolden Chickens, to target the companies’ employees. The threat actors sent fake job offers to the employees,\r\ncleverly using the job title listed on their LinkedIn profiles in their communications. Could FIN6 be behind this\r\nGolden Chickens attack campaign?\r\nLater in August 2019, the FIN6 operators launched another malicious campaign, and researchers believe FIN6 was\r\nactively going after multinational organizations. Like the February 2019 campaign, employees were spear phished\r\nwith fake job offers. According to researchers, the threat actors began by targeting handpicked employees using\r\nLinkedIn messaging and email.\r\nBetween the end of 2018 and April 2021, there have been three distinct Golden Chickens/more_eggs LinkedIn\r\ncampaigns using the same modus operandi (MO). Each campaign targeted corporate employees, utilized their\r\nLinkedIn profile, and then social engineered them with bogus job offers, which lead to the more_eggs component\r\nof Golden Chickens.\r\nCobalt Group\r\nAnother Russia-based organized cybercrime gang that has been plaguing financial institutions since at least 2016\r\nand is known to use the Golden Chickens malware suite. The Cobalt Group is reported to have caused the\r\nfinancial industry over a billion dollars in cumulative losses. Their crime spree includes the targeting of 100\r\nfinancial institutions in more than 40 countries worldwide, allowing the criminals to steal more than USD $11\r\nmillion per heist.\r\nThe Cobalt Group's typical MO was to infiltrate banking institutions by sending spear phishing emails with\r\nmalicious attachments to bank employees. The Cobalt Group repeatedly used Golden Chickens and its\r\nmore_eggs backdoor in their attacks. Once downloaded, the cybercriminals gained access to the infected\r\ncomputer and were able to access the internal banking network. The Cobalt Group was said to have spent months\r\ninside the infected networks studying the bank’s operations and workflows, including the Society for Worldwide\r\nInterbank Financial Telecommunications (SWIFT) bank system.\r\nThe Cobalt Group also gained notoriety for its “jackpotting“ schemes where they would break into bank servers\r\nthat controlled the ATMs and manipulate the ATMs to remotely dispense cash at a certain time, in predetermined\r\nlocations, where money mules waited to collect the cash.\r\nEvilnum\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 4 of 19\n\nThe Evilnum group, believed to be out of Belarus, is best known for compromising financial technology\r\ncompanies and companies that provide stock trading platforms and tools. They target financial information about\r\nthe FINTECH companies and their customers, seeking out spreadsheets, customer lists, investments, trading\r\noperations and credentials for trading software platforms. The Evilnum group is also known to spear phish\r\nemployees of the companies they are targeting and enclose malicious zip files. If executed, the employees often\r\nget hit with the more_eggs backdoor, along with other malware.\r\nUnmasking badbullzvenom—The Threat Actor Behind Golden Chickens\r\nQuo Intelligence first connected VENOM SPIDER to the threat actor “badbullzvenom”. This attribution was made\r\npossible due to a dispute on the Exploit.in hacker forum. In the thread, private conversations are revealed between\r\na Golden Chickens MaaS customer, BlackAngus, and the MaaS provider, badbullzvenom. The dispute centered\r\naround a sample of the malware appearing in VirusTotal, causing the customer to be banned from the service.\r\nBecause the actual sample in VirusTotal was linked in the thread, researchers were able to confirm the connection\r\nto the Golden Chickens MaaS and identify badbullzvenom as the MaaS operator.\r\nFigure 1 - Exploit.in reply to dispute thread. badbullzvenom drops BlackAngus as a customer for\r\nbreaking his rules and shuts down his access.\r\nFrom the entire content of his posts on Exploit.in, we learn the following information about badbullzvenom:\r\nThey claim to be from Moldova\r\nThey speak Romanian, French, and English\r\nThey claim to work with Cobalt Gang (this is also evident in public analysis of Golden Chickens campaign\r\nIOCs)\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 5 of 19\n\nThe Connection between badbullzvenom and “Frapstar”\r\nDigging deeper into Open Source Intelligence (OSINT), TRU studied numerous security reports in order to\r\nconnect the various forum accounts engaged with the Golden Chickens MaaS, and we found one published by\r\nTrend Micro in 2015 titled: Attack of the Solo Cybercriminals – Frapstar in Canada, where the threat actor is\r\nidentified as a lone carder (a criminal who monetizes stolen credit cards) with accounts and multiple aliases\r\n(including badbullzvenom) on several hacker forums.\r\nFigure 2 - Trend Micro Report on Frapstar\r\nFrom this report, we learn more key information about the threat actor who goes by Frapstar:\r\nThey have a keen interest in obtaining stolen Canadian credit card accounts\r\nThey own a BMW 5 Series automobile, specifically the E39 540i\r\nThey use the following usernames on various forums:\r\nBadbullzvenom\r\nBadbullz\r\nFrapstar\r\nKsensei21\r\nE39_Frap* (i.e., E39_Frapstar)\r\nAre There Two Threat Actors Behind the Golden Chickens MaaS?\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 6 of 19\n\nIn the report from Trend, we see that user E39_Frap* self-identifies as “Chuck from Montreal”. However, this\r\nseems to be at odds with the information from the Exploit.in forum where the threat actor says he is from Moldova\r\nand can write in Romanian, as well as in English and French. He even participates in a thread on the Lampeduza\r\nforum titled “Romanian only”. However, in the earlier thread, we also see where badbullzvenom says he can write\r\nin French, which could show a possible connection to Montreal.\r\nIs the threat actor behind the badbullzvenom account from Montreal, Moldova or another Eastern European\r\ncountry where Romanian is spoken? This remained a mystery until we had the opportunity to read through many\r\nof the threat actor’s older forum posts. Here we found mentions on multiple occasions of the badbullzvenom\r\naccount being shared between two people. (See Figures 3 and 4).\r\nFigure 3 - Exploit.in post\r\nFigure 4 - Exploit.in post\r\nTRU believes that “Chuck” is just one threat actor that operates the badbullzvenom account at times, and is in fact\r\nlocated in Montreal, Canada. We also believe there is a second threat actor, possibly from Moldova or Romania,\r\nthat operates the badbullzvenom account alongside “Chuck.”\r\nTimeline of badbullzvenom’s Progression from Script Kiddie to MaaS Provider\r\nBadbullzvenom’s activity on Exploit.in, over the years, demonstrates a progression from a “script kiddie” to a\r\nMaaS provider:\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 7 of 19\n\nFigure 5: Progression from ScriptKiddie to MaaS Provider\r\n2013 – badbullzvenom first recorded posts on the forum that are often complaints about other users. He\r\ndemonstrates an interest in Canadian computer traffic and Canadian banks such as TD, CIBC, Scotiabank, and\r\nBMO.\r\n2014 – Throughout the majority of 2014, badbullzvenom only posts three times in Exploit.in.\r\n2015 – badbullzvenom returns from his hiatus, but he tends to demonstrate more confidence and technical\r\nacumen. He points other members to appropriate tools of the hacking trade, participates in banter, shows an\r\ninterest in banking trojans for sale, and starts giving more positive reviews.\r\n2016 – After another hiatus, badbullzvenom returns once again, offering for sale his first cyber tool. He only nets\r\ntwo customers and in this time, he continues to show interest in banking trojans and cryptors, as well as a\r\ncontinued interest in financial data relating to Canada. He also makes aggressive and offensive comments,\r\nincluding one statement he makes before going on hiatus again, where he tells one member of Exploit.in to kill\r\nthemselves, and he offers to pay for the bullet.\r\n2017-2019 – badbullzvenom returns to the forum once more, offering the sale of “Word 1-day doc builder” –\r\nknown today as VenomKit. It is a malicious document builder that takes advantage of Windows Office exploits.\r\nHe accumulates customers quickly and continues to develop the builder, adding new exploits as they appear and\r\nupdating its features. For example, PowerShell is removed from the attack chain to reduce detection, .dll support\r\nis added for payloads, and a .js downloader (likely the more_eggs backdoor component of Golden Chickens is\r\nadded and is for sale.) During this timeframe, Cobalt Group is reported as using badbullzvenom’s builder to\r\ndeploy Cobalt Strike in attacks on banks – then again in 2018. In 2019, FIN6 is observed using more_eggs with\r\nemployment lures.\r\nPicking Up the Trail\r\nIn recent years, database leaks have exposed billions of users’ credentials, leading to hacking and privacy\r\nconcerns. However, one aspect of this activity works in favor of network defenders – the fact that numerous\r\nhacking forums have had their user databases leaked, offering an opportunity to make connections between online\r\npersonas of known threat actors and their real-world identities.\r\nReferencing the 2015 Trend Micro report, we confirmed the threat actor had accounts in three underground\r\nforums. These forums were later breached, and the user databases leaked, revealing email addresses used by the\r\nthreat actor in the past:\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 8 of 19\n\nCarder.pro\r\nfrapstar:newmoneystink@safe-mail.net\r\nOpensc.ws\r\nksensei:newmoneystink@safe-mail.net\r\nCarder.su\r\nfrapstar:frapstar@safe-mail.net\r\nOther database leaks revealed an account using the newmoneystink@safe-mail.net email address with the\r\npassword “Nay45uck+”. Pivoting on this piece of information leads us to an old Myspace account registered to\r\ndalion67@hotmail.com that used the same password. While it is possible there could be two users that\r\ncoincidentally chose the same rather unique password, searching Google leads us to the account “crazyteg67” on\r\nthe Montreal Racing forum using that email address, to sell $1000 worth of gift cards for $700.\r\nFigure 6 - Montreal Racing post\r\nThis account seems to be shared by multiple people, as there are frequent posts offering items for sale with\r\ndifferent contact phone numbers and first names in the offer. One of the contact names is “Chuck”.\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 9 of 19\n\nFigure 7 - crazyteg67 selling an XBOX 360 as \"chuck\"\r\nThe crazyteg67 user also owns a BMW 540i according to his own posts:\r\nFigure 8 - crazyteg67 looking for a 540i clutch replacement\r\nThe Social Media Trail\r\nPivoting on the “dalion67” username, we find a Pinterest account for “Dee Inconegro”, with a few boards created\r\nunder it. One of those boards is dedicated to BMW M5 series photos, and another is dedicated to photos of\r\nEnglish Bull Terriers, and the name of the board is “Bad Bullz”.\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 10 of 19\n\nFigure 9 - Pinterest profile\r\nInterestingly, there is a Facebook account using the same fake name “Dee Inconegro”, with only a few posts.\r\nHowever, we can see references to this account in other users’ posts, one of which referred to the account by an\r\nolder name, “Keyser Sensei” (See Figure 11), which we found amusing as it appears to be a reference to the\r\nmysterious crime lord character—Keyser Söze in the movie, Usual Suspects.\r\nAdditionally, this account is linked through multiple friends to another account with the name “Chuck Larock”,\r\nwhich appears to be an older account of the same actor, where he shared photos of his English Bull Terriers.\r\nHowever, this name is also an alias, not the real name of the threat actor.\r\nFigure 12 - Chuck Larock Facebook profile\r\nEven though the threat actor is careful to never use his real name when creating social media or forum accounts, a\r\ncomment from one of “Chuck Larock’s” Facebook friends gives us a clue.\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 11 of 19\n\nFigure 13 - Facebook comment\r\nThe comment, where a friend says: “yo [name redacted] ca va” which casually means “hey, how are you?” in\r\nFrench. This might easily be overlooked, because the name the friend calls out in the comment is not a common\r\nname and not meaningful by itself. However, in the context of Dee Inconegro’s Facebook page, we find another\r\nclue. From public records, we learn that Dee Inconegro’s listed employer, [company name redacted.ca], is actually\r\nowned by a man who goes by [name redacted], a Canadian citizen of Haitian descent.\r\nFigure 14 - Business registration for [company name redacted]\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 12 of 19\n\nIt appears that [company name redacted.ca] is a sole-proprietor business, operated from a residential address in\r\nMontreal. One former Google Street View photo shows an image of the location with two BMWs in the driveway\r\nand a person (possibly our threat actor) standing in front.\r\nFigure 15 - Google Street View image of [name redacted.ca] office\r\nThis name matches another email address posted by the account on the Montreal Racing forums, [name\r\nredacted]@sympatico.ca.\r\nFigure 16 – crazyteg67 asking for photo\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 13 of 19\n\nReferences to the number “67” in usernames used by the threat actor and his associates could suggest an affiliation\r\nwith the Montreal 67s, a Haitian street gang.\r\nFigure 17: Background information on the 67’s street gang.\r\nAbout the Golden Chickens Malware Suite—a Modular Malware\r\nGolden Chickens is a stealthy, highly functional, all-in-one suite of malware. It consists of various components\r\nthat threat actors can select for their objectives:\r\nMore_eggs – This is the Golden Chickens‘ key component. More_eggs provides threat actors with a back door\r\nand a malware loader.\r\nVenomLNK – Initial access for more_eggs. VenomLNK is a .lnk file (Windows shortcut) sent to victims to\r\ninstigate User Execution.\r\nTerraLoader – The primary goal of VenomLNK is to instantiate TerraLoader which can then load the individual\r\nobjective-based plugins.\r\nTerraRecon – Performs initial environmental analysis of the infected machine and provides threat actors with\r\nsome rudimentary information of the organization‘s network.\r\nTerraStealer – Harvests credentials and emails from browsers, email clients, and transfer utilities.\r\nTerraTV – Allows threat actors to move laterally in the network by hijacking the organization‘s running instance\r\nof TeamViewer.\r\nTerraPreter – Provides a meterpreter shell that allows threat actors to perform actions such as lateral movement,\r\ndiscovery, and credential theft manually.\r\nTerraCrypt – An encryption payload for ransomware extortion attacks.\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 14 of 19\n\nTRU Detects a New Golden Chickens Campaign \u0026 E-Commerce Companies Appear to Be the\r\nTargets\r\nSince the beginning of 2022, TRU has observed several incidents in which VenomLNK, a .lnk file (a Windows\r\nshortcut) sent to victims to instigate User Execution, was leveraged to target corporate hiring managers in the U.S.\r\nA single sample uploaded to VirusTotal in July 2022, from France, pointed to a new resume-themed download\r\nserver, suggesting ongoing cyberattacks utilizing Golden Chickens. The associated URL indicates the malware is\r\nbeing used to go after e-Commerce companies, which we know is a favorite target of FIN6, the financial crime\r\ngroup known for successfully compromising large e-Commerce companies including British Airways, Newegg,\r\nTicketmaster and countless others.\r\nIn order to deliver VenomLNK to victims and ensure that they click on them, the Golden Chickens operators\r\nleverage employee recruitment processes. The threat actors engage targets through services such as LinkedIn,\r\nIndeed, and the organization‘s own careers section of their website. In the past, operators started by engaging the\r\nvictim on LinkedIn, eventually following up with a job offer through email.\r\nIn the July campaign, VenomLNK is hosted on a personal branding web page (See Figures 18 and 19). The\r\noperators then send a link leading to a mock resume PDF through the organization‘s recruitment platform (e.g.\r\nIndeed, LinkedIn, or the organization‘s own career web page). The PDF purports to be broken, offering an\r\nembedded link (Figure 20) to the malicious VenomLNK file on the branding website, which the victim then\r\ndownloads and executes manually after completing a CAPTCHA.\r\nFigure 18: The landing page of the personal branding website hosting VenomLNK\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 15 of 19\n\nFigure19: Personal branding website hosting VenomLNK\r\nFigure 20: The only content in the PDF is a fake error message with a link directing the victim to\r\ndownload VenomLNK\r\nUsing a CAPTCHA on a website makes it harder for security researchers and their tools, especially if those tools\r\nare automated, to retrieve and analyze if there is any malware present. Evasion tactics, like this, are a clever way\r\nfor threat actors trying to get a foothold into an e-Commerce company to increase their chances of success.\r\nA $200,000 Bounty Issued for badbullzvenom on July 18, 2022\r\nNot only has TRU detected what appears to be a new Golden Chickens attack campaign, but on July 18, 2022, a\r\nthreat actor going by “babay” went on to Exploit.in and accused badbullzvenom of stealing $1 million from him.\r\nConsequently, babay issued a $200,000 bounty for any information leading to badbullzvenom’s real identity. See\r\nFigure 21.\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 16 of 19\n\nFigure 21: A threat actor on Exploit.in accuses badbullzvenom of stealing $1 million from him and\r\noffers a $200,000 bounty for any information leading to badbullzvenom’s real identity\r\nThe translation of the complaint made on July 18, 2022, by babay about badbullzvenom in Exploit.in:\r\n“vodka@zloy.im a.k.a. badbullzvenom\r\nThe total cost of the complaint $1,000,000.\r\nThe person scammed me, didn't complete his job, talk total nonsense, I can't contact him and he refuses to return\r\nthe money back. The situation is private, I sent the logs to the admin.\r\nFor the information that can lead to his deanonymization I will pay $200,000 through the guarantor.”\r\nThe translation of Exploit.in’s Administrator/Moderator’s response to babay:\r\n“I have looked through the logs, the user is deleted from the forum.”\r\nThe Significance of Discovering the Identity of the Golden Chickens Operator\r\n1. The connection to The Billion Dollar Hackers: The Golden Chickens MaaS is a favorite cyber weapon\r\nof three of the longest-running and successful financial crime gangs on the Underground: Russia-based\r\nFIN6 and Cobalt Group, and Evilnum, a hacker group suspected to operate out of Belarus, a neighbor and\r\nally of Russia. In learning more about the threat actor behind Golden Chickens and understanding his\r\noperation, TRU can garner more intelligence about the TTPs of the FIN6, Cobalt Group and Evilnum\r\noperations. This knowledge is invaluable for eSentire and other cyber defenders, as they develop security\r\nprotections that will detect, respond and shut down attacks launched by these threat groups.\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 17 of 19\n\n2. Collaboration with Law Enforcement: In 2015, the Trend Micro report about Frapstar, aka\r\nbadbullzvenom, provided solid intelligence about this threat actor, giving law enforcement a real chance of\r\nidentifying and potentially arresting badbullzvenom when he was still a minor player on the cybercrime\r\nscene. Instead, he has had seven years to hone his skills, and from our findings, we see that he has\r\ncontinued to get better at developing malware and obfuscating it. Badbullzvenom is very stealthy, and he\r\ngoes to extremes to keep his malware fully undetectable (FUD) by anti-virus, trying to make sure that\r\nsamples of Golden Chickens are not uploaded to Virus Total. Badbullzvenom also insists that his clients\r\nONLY use his malware in very “targeted” attacks to further ensure that he and his malicious software fly\r\nunder the radar.\r\nWe believe the case of the Golden Chickens operator is a stark example of what can happen if a threat\r\nactor, who is considered “low hanging fruit,” is ignored by law enforcement. All eSentire’s research has\r\nbeen transitioned to law enforcement for criminal investigations.\r\n3. Understanding Golden Chickens Malware: Discovering the identity and activities of the Golden\r\nChickens operator has enabled Stewart and Keplinger to answer several questions about the malware suite,\r\nsuch as:\r\nWhy do security researchers see so few hacker campaigns involving the Golden Chickens malware?\r\nHow long has badbullzvenom been conducting cyber fraud?\r\nWhat TTPs does badbullzvenom use to avoid detection?\r\nConclusion\r\nThere is compelling evidence that the threat actor, detailed in this report, is one of possibly two operators behind\r\nthe badbullzvenom account on Exploit.in.\r\nInterestingly, as of July 2022, all of badbullzvenom’s posts on Exploit.in have been purged from the forum.\r\nHowever, TRU continues to see improvements in the Golden Chickens source code and new Golden Chickens\r\nattack campaigns, like the one we detected in July. That tells us that the malware suite is still actively being\r\ndeveloped and is being and sold to other threat actors. We expect to see further targeted attacks against financial\r\ninstitutions and organizations, processing large amounts of credit and debit card data, leveraging this malware in\r\nthe foreseeable future. Thus, TRU is continuing to investigate the Golden Chickens operation and any other\r\nparties that may be involved.\r\nIt is TRU’s recommendation that organizations take the following steps to protect against the Golden Chickens\r\nmalware suite:\r\n1. Employ exhaustive endpoint monitoring for LOLBINs, aka Trusted Windows Binary abuse. LOLBINs of\r\ninterest include cmd.exe, wscript.exe, wmic.exe, cmstp.exe, msxsl.exe, powershell.exe, and\r\nie4uinit.exe.Ensure endpoint products have rules in place to detect suspicious usage of these Windows\r\nprocesses.\r\n2. Ensure employees are aware of common phishing tactics:\r\nBe suspicious of attachments from people you don’t know – additional care is required in cases\r\nwhere you must accept documents from the public (such as with employee hiring process)\r\nInspect attachment file types by right clicking the file and selecting properties\r\nDocuments should never come as LNK, ISO, or VBS files\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 18 of 19\n\nOften, these malicious files will be enclosed in a .zip file to bypass email filters\r\n3. Have an easy process in place for reporting phishing and suspicious behavior\r\nLeadership is responsible for ensuring a positive and convenient path is in place for reporting\r\nsuspicious behavior\r\nDevelop a collaborative culture of cyber resiliency where employees are comfortable to bring\r\nforward questions, and even mistakes when it comes to email behavior and downloads. Punishing\r\nemployees for falling for phishing scams will reduce the chances that they – and other employees –\r\nreport them in the future.\r\n4. Engage Managed Detection and Response services for 24/7 Security Monitoring, Threat Hunting and\r\nThreat Containment expertise. The speed with which you can detect and contain a threat actor before they\r\nachieve their objectives is imperative in preventing business disruption.\r\nIndicators of Compromise\r\nDomains\r\njohnwagen[.]com\r\nmikelatona[.]com\r\nliamelston[.]com\r\nmikegarmon[.]com\r\nrobertbuss[.]com\r\njohncheston[.]com\r\njamesstepleton[.]com\r\njamesreuther[.]com\r\nwilliamhankins[.]com\r\njamesdabill[.]com\r\nVenomLNK SHA256\r\n33e5078833aa2caf7dcbae23300c6a4635076625e79f2368871727e895e76d89\r\n05d9e8a947dbaebb6c3df9889bc2db55f1ba58f18f16a96d105bf9f3438081bb\r\n26fdd198192575716c72f1cc08c6ad0f9828d5bb90225436caf654b95c967ee3\r\nce08dbf119fbe2effdecce7374bb12b2720489a6508bef67f1d297b25fceeadf\r\nc8fe70f61d05b50dd5f9000979f517e2e9a89b6f9d3e8d896af82064de187cb7\r\nc611088c624895be4e347e0d474405a2ddf582af0172867014666d5a78e657dc\r\n7d3bbf055179fb53d7ffcbb0c0a2c07caea64c5bdc5db442d8babba8da398abf\r\nSource: https://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nhttps://www.esentire.com/web-native-pages/unmasking-venom-spider\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.esentire.com/web-native-pages/unmasking-venom-spider" ], "report_names": [ "unmasking-venom-spider" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434578, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e4f40d8baea1f9d41ce586acbe0100eacb36f83d.pdf", "text": "https://archive.orkl.eu/e4f40d8baea1f9d41ce586acbe0100eacb36f83d.txt", "img": "https://archive.orkl.eu/e4f40d8baea1f9d41ce586acbe0100eacb36f83d.jpg" } }