{ "id": "acf4eeda-8d82-4baa-86fb-850e5117d983", "created_at": "2026-04-06T00:12:51.836739Z", "updated_at": "2026-04-10T13:12:39.155457Z", "deleted_at": null, "sha1_hash": "f4692578839756b2d5e3b0738ab8d59eb24da6e5", "title": "Golden Chickens: Uncovering A Malware-as-a-Service (MaaS) Provider and Two New Threat Actors Using…", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57468, "plain_text": "Golden Chickens: Uncovering A Malware-as-a-Service (MaaS)\r\nProvider and Two New Threat Actors Using…\r\nBy QuoScient GmbH\r\nPublished: 2020-06-26 · Archived: 2026-04-05 12:58:21 UTC\r\nNote: This article was initially written by the QuoINT Team as part of QuoScient GmbH. Since the foundation of\r\nQuoIntelligence in March 2020, this article was transferred to the QuoIntelligence website on 21 April 2020.\r\nExecutive Summary\r\nOver the last few years, QuoScient’s Intelligence Operations Team (QuoINT) has tracked activities attributed to\r\nthe Cobalt group, and observed their notable evolution and continuously improving Tactics, Techniques, and\r\nProcedures (TTPs).\r\nSince September 2018, we have identified multiple attacks that share similar TTPs used by Cobalt during a\r\nspecific timeframe but exhibit enough differences to attribute them to separate threat actors. This blog post\r\nprovides an overview on a specific Malware-as-a-Service (MaaS) used within the e-Crime threat actor landscape.\r\nIt also provides details on two different threat actors using the MaaS that fall under the umbrella of a family we\r\ndubbed Golden Chickens: GC01 and GC02. The success of GC operations heavily relies on a specific MaaS sold\r\nin underground forums, which provides customers with the malwares and the infrastructure they need for targeted\r\nattacks. The service owner provides the MaaS through the use of the following toolkits: Venom and Taurus\r\nbuilding kits for crafting documents used to deliver the attack, and the more_eggs (aka Terra Loader,\r\nSpicyOmelette) backdoor for taking full control of the infected computer.\r\nBetween November 2017 and July 2018, we attributed to GC02 five spear phishing waves which indiscriminately\r\ntargeted companies and organizations in at least India and the United States. As a result of using the same MaaS\r\nprovider, GC02 and Cobalt group’s TTPs and infrastructure strongly overlapped in May 2018, making it hard at\r\nfirst glance to differentiate the two threat actors.\r\nGet QuoScient GmbH’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nBetween August and October 2018, we attributed to GC01 nine spear phishing waves targeting multiple\r\ncompanies and organizations operating in the financial industry. Throughout the campaign, we observed the\r\ninstallation of multiple Remote Access Tool (RAT) variations as the result of a successfully compromised victim\r\nmachine.\r\nhttps://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648\r\nPage 1 of 2\n\nBy highlighting the multi-layer infrastructure adopted by Cobalt and Golden Chickens, as well as the multi-client\r\nbusiness model of the MaaS behind it, we emphasize the difficulty of performing reliable attribution for\r\ncyberattacks, and the high uncertainty that analysts are confronted with during the process. To note, other\r\nresearchers reported the same Indicators of Compromise (IoC) and C2 infrastructure covered in this blog post. We\r\nhope that our attribution will clarify the current threat landscape and make the covered threat actor profiles more\r\naccurate.\r\nThe following blog post is a preview of the Intelligence Assessment we will disseminate to our clients, partners,\r\nand vetted requesters.\r\nSource: https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using\r\n-61cf0cb87648\r\nhttps://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" ], "report_names": [ "golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434371, "ts_updated_at": 1775826759, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4692578839756b2d5e3b0738ab8d59eb24da6e5.pdf", "text": "https://archive.orkl.eu/f4692578839756b2d5e3b0738ab8d59eb24da6e5.txt", "img": "https://archive.orkl.eu/f4692578839756b2d5e3b0738ab8d59eb24da6e5.jpg" } }