{ "id": "e7b170fe-3b6b-46bf-84f3-695232492d8a", "created_at": "2026-04-06T00:21:25.566777Z", "updated_at": "2026-04-10T03:36:08.300336Z", "deleted_at": null, "sha1_hash": "fc324c9b6561b6cbcbdd6aad866ae944112af4d8", "title": "Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims - Arctic Wolf", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1168930, "plain_text": "Venom Spider Uses Server-Side Polymorphism to Weave a Web\r\nAround Victims - Arctic Wolf\r\nBy Arctic Wolf Labs\r\nPublished: 2025-05-02 · Archived: 2026-04-05 16:54:38 UTC\r\nTakeaways \r\nArctic Wolf® observed a recent campaign by the financially motivated threat group Venom Spider\r\ntargeting hiring managers with spear-phishing emails.\r\nThe group abuses legitimate messaging services and job platforms to apply for real jobs using fake\r\nmalicious resumes that drop a backdoor called More_eggs.  \r\nThe backdoor can be used for a wide scope of malicious activities, from credential theft to stealing\r\nsensitive customer payment data, intellectual property or trade secrets.  \r\nOur research found several upgrades that the threat actor made to this malware to infect victims more\r\neffectively, and to evade automated analysis techniques like sandboxing.  \r\nOrganizations should train all employees to recognize the red flags of a phishing attack, particularly those\r\nworking in departments that must regularly open email attachments as part of their daily job duties, for\r\nexample, Human Resources.    \r\nSummary \r\nAs part of our ongoing tracking of the threat actor TA4557 (also known as Venom Spider), the Arctic Wolf® Labs\r\nteam discovered a new campaign targeting corporate human resources departments and recruiters. The threat\r\ngroup uses phishing techniques to drop an enhanced version of a potent backdoor called More_eggs onto victim\r\ndevices. \r\n The group has historically targeted industry sectors that use online payment portals or e-commerce sites to do\r\nbusiness, which in the past has included the retail, entertainment and pharmacy industries. This change is a tactical\r\nstep up in terms of targeting, as it puts almost every industry and organization in the group’s crosshairs due to the\r\none thing they all have in common: the need to hire new employees.  \r\n In this report, we’ll provide a technical analysis of the campaign, indicators of compromise (IOCs), tips for\r\nremediation, and activity detection rules to counter this threat.  \r\nMITRE ATT\u0026CK® Highlights \r\nInitial Access  T1566.002 \r\nExecution  T1204.002, T1059.003, T1059.007 \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 1 of 17\n\nPersistence  T1547.001 \r\nDefense Evasion  T1497.003, T1027.010, T1027.013, T1027.014 \r\nCommand-and-Control  T1105, T1071.001, T1573.001 \r\nDiscovery  T1518.001, T1016.001 \r\nWeaponization and Technical Overview  \r\nWeapons  Obfuscated JavaScript files, Obfuscated .LNK files, PE x86 DLLs \r\nAttack Vector  Spear-phishing \r\nNetwork Infrastructure  DDNS \r\nBackground \r\nVenom Spider is a financially motivated threat group that has been targeting organizations seeking to fill job\r\nvacancies via legitimate third-party sites such as LinkedIn for the last couple of years. Since the advent of\r\nCOVID, the group has steadily refined their tactics, techniques and procedures (TTPs) to embrace the online\r\nhiring boom, targeting the one department in every company that has to open attachments from unknown senders\r\nas an everyday part of their job: Human Resources.  \r\nSince at least October 2023, the threat group has escalated this campaign to directly target recruiters and HR\r\nmanagers with weaponized phishing links purportedly from job seekers, which in fact lead to malicious websites\r\nhosting poisoned downloads disguised as fake resumes.  \r\nThe payload used in the infection chain of this recent activity is the group’s notorious More_eggs malware, a\r\nbackdoor capable of harvesting sensitive information and carrying out several additional tasks. We discovered and\r\nanalyzed a new campaign by Venom Spider aimed at spreading this backdoor. Our researchers found several\r\nupgrades that the threat actor made to this malware to infect victims more effectively, and to evade automated\r\nanalysis techniques like sandboxing. \r\nKey Findings  \r\nVenom Spider continues to use job seekers as a lure targeting HR departments and corporate recruiters in\r\nits phishing campaigns. \r\nThese phishing campaigns utilize the modular backdoor known as More_eggs, which generates malicious\r\npayloads crafted for execution exclusively on the individual systems under attack. \r\nServer polymorphism is used to deliver these payloads to the victim’s system. \r\nWe reveal new functionality that we refer to as the More_eggs_Dropper library. This generates malicious\r\nJavaScript code polymorphically, featuring several techniques to evade analysis. \r\nVictimology \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 2 of 17\n\nHistorically, the money-motivated Venom Spider has focused on U.S-based e-commerce companies or those that\r\nuse online payment systems, including organizations in industries such as accounting, legal firms, workforce\r\nsolutions, insurance, energy providers, food suppliers and building suppliers.\r\nMore recently, the group has pivoted to target the HR departments of various companies using social engineering\r\ntechniques such as phishing, for the sake of credential theft and financial gain.  \r\nThe recruiters and hiring managers who work in HR departments are often considered to be the weak point in an\r\norganization by attackers, as the very nature of their job means that they must regularly open email attachments\r\n(e.g.: resumes and cover letters) emailed to them from external and unknown sources, including job candidates\r\nand hiring agencies.   \r\nAttack Vector \r\nThe first stage of execution in this Venom Spider campaign is a spear phishing email sent directly to the victim\r\ncorporate recruiter or hiring manager. The message contains a link purportedly for the manager to download the\r\njob seeker’s resume from an external site. If the manager clicks the link, they are taken to an actor-controlled\r\nwebsite from which the recruiter can download a (decoy) resume. On this site, the human user must check a\r\nCAPTCHA box, a precaution that helps the site bypass automatic scanners.  \r\nFigure 1: Malicious website offering a fake resume. \r\nIf the victim successfully passes the CAPTCHA test, a zip file is downloaded to their device which the recruiter is\r\nlead to believe is the candidate’s resume. Instead, the zip file contains a malicious Windows shortcut (.lnk) file as\r\nwell as an image file. The .lnk file is the payload for the first stage of the attack chain, while the g.jpg image file is\r\njust a distraction.  \r\nThe threat actor’s infrastructure that issues the .lnk file supports server polymorphism. What that means is that a\r\nnew malicious .lnk file will be generated for each individual download, which changes the code obfuscation and\r\nfile size each time.  \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 3 of 17\n\nFigure 2: Contents of the zip file “Ryan Berardi.zip” (g.jpg and Ryan Berardy.lnk).\r\nThe .lnk file contains an obfuscated .bat script, which performs several actions when the .lnk file is opened. We\r\nmanaged to obtain several LNK files that had different file sizes (11500-11900 bytes) that were generated on the\r\nserver side. These malicious files all had the same functionality, but they had completely different code\r\nobfuscation. \r\nFigure 3: Obfuscated Windows Command Shell script in the downloaded LNK file. \r\nThe script creates a file called %temp%\\ieuinit.inf at the following path and writes obfuscated commands to it.  \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 4 of 17\n\nFigure 4: Contents of the ieuinit.inf file.  \r\nThe script executes the Windows batch file code below: \r\n@echo off\r\n start \"\" \"%ProgramFiles%\\Windows NT\\Accessories\\wordpad.exe\"\r\n echo [version] \u003e \"%temp%\\ieuinit.inf\"\r\n echo Signature=$CHICAGO$ \u003e\u003e \"%temp%\\ieuinit.inf\"\r\n echo [DefaultInstall] \u003e\u003e \"%temp%\\ieuinit.inf\"\r\n cacls \"%windir%\\system32\\ie4uinit.exe\" /Y /C /Q\r\nWhen this code is executed, the Microsoft WordPad application is automatically launched in a ploy to distract the\r\nuser, who is meant to believe the promised resume is being opened. The batch script will then covertly launch the\r\nlegitimate Windows utility %windir%\\system32\\ie4uinit.exe, which in turn executes the commands from the file\r\nieuinit.inf.\r\nAs configured, the contents of this .inf file will trigger execution of commands within the malicious\r\n%temp%\\ieuinit.inf file. \r\nThis is a living-off-the-land (LOTL) technique that has been around for a while. The essence of this technique is\r\nto use a legitimate application – in this case, ie4uinit.exe – to execute commands and run JavaScript code. Venom\r\nSpider has been using the technique of running JavaScript code with different variations for a long time. \r\nIn this instance, the ieuinit.inf file contains the URL of the next step in the attack chain,\r\nhxxp://doefstf[.]ryanberardi[.]com/ikskck. A large and heavily obfuscated JavaScript payload is embedded within\r\nthe HTML code hosted at this location.\r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 5 of 17\n\nFigure 5: Obfuscated JavaScript code that contains encrypted data (ikskck). \r\nIntroducing the More_eggs_Dropper Library\r\nAfter running the previous stage received from the remote malicious server, the JavaScript code creates an\r\nexecutable library in the following location:\r\nC:\\Users\\%username%\\AppData\\Roaming\\Adobe\\d{5}.dll\r\nIn this article, we will refer to this library as More_eggs_Dropper.   \r\nSHA-256  F7A405795F11421F0996BE0D0A12DA743CC5AAF65F79E0B063BE6965C8FB8016  \r\nMD5 \r\nEC103191C61E4C5E55282F4FFB188156 \r\n \r\nFile Name  38754.dll (The file name will be randomly generated) \r\nFile Size  317440 \r\nCompilation\r\nStamp \r\nTue Apr 08 14:30:58 2025 \r\nFile Type  x86 PE DLL \r\nMore_eggs_Dropper is started on the system with the following command:\r\nregsvr32 /s /n /i:Ferc \"C:\\Users\\%username%\\AppData\\Roaming\\Adobe\\d{5}.dll\"\r\nThe More_eggs_Dropper executable library is complex, utilizing obfuscated code that generates JavaScript code\r\npolymorphically. Execution of the library is time-delayed to evade sandboxing and analysis by researchers. When\r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 6 of 17\n\nit is executed, it creates several files in the following directories:\r\nC:\\Users\\%username%\\AppData\\Roaming\\Adobe\\d{9}.txt# JavaScript launcher\r\nC:\\Users\\%username%\\AppData\\Roaming\\Adobe\\hex{17}.txt # JavaScript Payload\r\nC:\\Users\\%username%\\AppData\\Roaming\\Adobe\\msxsl.exe\r\nMore_eggs_Dropper creates a legitimate Windows msxsl.exe executable to run XML files that may also contain\r\nJavaScript code. This technique is known to have been used by Venom Spider in previous campaigns.  \r\nThe second file that creates More_eggs_Dropper is a small JavaScript that executes the launch of the main\r\npayload located within the JavaScript Payload. After running these scripts, More_eggs_Dropper is quietly\r\nremoved from the system.\r\nFigure 6: Deobfuscated code of JavaScript launcher.  \r\nThe JavaScript payload is the main malicious code in this attack chain.  \r\nThe code of this JavaScript is very similar to the loader that is also used by Venom Spider called TerraLoader. The\r\nthreat actor improved this loader and added more string obfuscation and code encryption.   \r\nMore_eggs_Dropper cleverly generates a new JavaScript payload each time it runs. The JavaScript executed on\r\nvictim devices is highly obfuscated, and contains two blocks of encrypted data. This data contains the JavaScript\r\ncode used in the next layer.   \r\nDecryption of the first JavaScript layer is performed by a hard-coded key (10-20 bytes in size) combined with an\r\nadditional three bytes, which are obtained by the script through brute force. The threat actor applies this technique\r\nfor the purpose of evading analysis, which is feasible to the threat actor considering that the last three bytes of the\r\nkey typically take several minutes to be found through brute force. The code used for encryption is a variation of\r\nRC4. \r\nPayload Decryption\r\nHere is an example of a decryption key for the first encrypted payload:\r\nWJxQNWvJVK866\r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 7 of 17\n\nAs previously noted, the last three bytes in this string are obtained through brute force on infected devices. \r\nDuring JavaScript generation, More_eggs_Dropper obtains the computer name and\r\n%PROCESSOR_IDENTIFER%. It then adds this data to an already known key and uses it as a decryption key for\r\nthe second layer payload. For example: \r\nWJxQNWvJVK866Name-PCIntel64 Family 6 Model 142 Stepping 10, GenuineIntel\r\nThe technique used to generate this decryption key complicates analysis of this attack, preventing automatic\r\ndecryption of the payload when executed in a sandbox environment. In practice, it is impossible to obtain the final\r\nstage of More_eggs without having encryption keys that are specifically generated for the devices being targeted.\r\nFigure 7: Venom Spider’s JavaScript dropper payload. \r\nDuring our analysis, we were able to obtain a final payload of More_eggs, which contained new command-and-control (C2) commands to interact with the malicious server. We were also able to identify the C2 configuration\r\nused in this campaign: \r\nhxxps://tool[.]municipiodechepo[.]org/id/243149\r\nAfter launching the More_eggs payload, the backdoor collects information about the victim’s system and sends it\r\nto a remote server for further processing by the threat actor.   \r\nOS Installation\r\nDate Hash\r\nConverted to hex ASCII \r\nAntivirus (AV)\r\nList\r\nAV details are encoded as letters (i.e., a, b, c, etc.). The names of running processes in\r\nthe system are converted to crc32 hashes, and they are compared to 53 hashes. Most of\r\nthese hashes have been retrieved.\r\nSee Appendix for further details. \r\nUsername 0 if invalid.  \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 8 of 17\n\nComputer Name 0 if invalid.  \r\nOS Version e.g., 10.0. \r\nProduct Type 1 for WinNT, 3 for others.\r\nOS Build Retrieved as Build (e.g., 19045).  \r\nArchitecture 1 for 64-bit, 0 for 32-bit.  \r\nLocal IP  Local IP address is collected. \r\nBot Version  “BV = 6.7a” Hardcoded in JavaScript.  \r\nNext, the backdoor waits for a response from the server, establishing a connection every three minutes. \r\n The following C2 commands are supported by the backdoor:  \r\nC2\r\ncommand \r\nDescription \r\nd\u0026exec \r\nDownloads and runs the PE file that is downloaded via a URL provided from a remote\r\nserver. \r\ngtfo  Removes all traces of infection including files and registry entries. \r\nmore_onion  Runs the fCore.txt file through msxsl.exe. The fCore.txt file contains additional JavaScript.  \r\nvia_c  The С2 command runs cmd.exe with the command received from the remote server. \r\nmore_time \r\nRecords the result of commands executed in cmd.exe, encodes them, and then sends them\r\nback to the threat actor’s remote server. \r\nBased on the C2 commands contained in the backdoor, we assess that threat actors using this backdoor have the\r\nability to run additional JavaScript code or executable files on the victim’s system.  \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 9 of 17\n\nFigure 8: The configuration of the More_eggs bot specified at the beginning of the file. \r\nNetwork Infrastructure \r\nThe network infrastructure utilized by Venom Spider has become disparate and well obfuscated in recent years. In\r\nprevious More_eggs campaigns, the infrastructure could be tracked to some degree by whois information and\r\nhosting providers.  \r\nThis current campaign is utilizing cloud hosted infrastructure and anonymous domain registration. The threat\r\ngroup has taken the time to use multi-level URLs for C2 communication to avoid scanners like Censys and\r\nShodan. The actors, while using domains that were previously registered, also utilize only subdomains to further\r\nimpede automated tracking efforts. \r\nIn the current campaign infrastructure, both municipiodechepo[.]org and ryanberardi[.]com have current registrant\r\norganizations of “Domains By Proxy, LLC.” Both domains are hosted on Amazon. While the phishing subdomain\r\nis still hosted on the Amazon cloud, the malicious C2 subdomain is hosted on a separate service through\r\nGoDaddy, at the IP address 208[.]109.231[.]95. \r\nDomain  Description \r\ndoefstf[.]ryanberardi[.]com  Phishing/Delivery \r\ndtde[.]ryanberardi[.]com  Phishing/Delivery \r\ntool[.]municipiodechepo[.]org  C2\r\nAttack Flow \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 10 of 17\n\nFigure 9: Venom Spider attack flow (click to enlarge).\r\nRemediation \r\nDue to Venom Spider’s use of social engineering, including the targeting of corporate HR and other hiring staff\r\nwith realistic-looking job application phishing emails and actor-controlled “resume” websites, organizations that\r\nmake use of third-party job posting websites (including sites like LinkedIn, Indeed.com and similar) should\r\nregularly train employees on identifying and countering spear phishing attacks.  \r\nEmployees who work in vulnerable departments such as HR and Recruitment should receive additional training\r\nthat teaches them to always be extra-wary of attachments that are LNK, ISO, or VBS files. These file-types are\r\noften sent as zip files to bypass email filters. Employees should be taught to routinely inspect attachment files by\r\nright clicking the file and selecting “Properties” (on Windows) or “Get Info” (on Mac) before opening them. \r\nIn addition, organizations can protect themselves by exercising the following measures:  \r\nConsider the use of Secure Email Gateway solutions to help proactively filter out malicious emails. \r\nImplement an Endpoint Detection and Response (EDR) solution such as Arctic Wolf® Aurora™ Endpoint\r\nSecurity. \r\nEnsure all employees throughout the company are aware of good security hygiene practices, including\r\nawareness of social engineering. \r\nAdd or enable a phishing report button in your organization’s email solution, to empower employees to\r\nimmediately report suspected phishing emails to your SOC or IT security team. \r\nConsider conducting regular internal phishing tests to reinforce security training. \r\nBlock identified command-and-control infrastructure used in this campaign.  \r\nDeploy detection rules for More_eggs components.  \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 11 of 17\n\nCarefully review logs for indicators of compromise.\r\nHow Arctic Wolf Protects its Customers \r\nArctic Wolf is committed to ending cyber risk with its customers, and when active campaigns are identified we\r\nmove quickly to protect our customers.  \r\nArctic Wolf Labs has leveraged threat intelligence around Venom Spider activity to implement new detections in\r\nthe Arctic Wolf® Aurora™ Platform to protect customers. As we discover new information, we will enhance our\r\ndetections to account for additional IOCs and techniques leveraged by this threat actor. \r\nConclusion  \r\nOur recent findings suggest that Venom Spider is using the More_eggs backdoor campaign to target Human\r\nResources departments and is highly focused on the long-term survivability of its campaigns.   \r\nThe threat actor has demonstrated a continued investment in the development and maintenance of its backdoor\r\ninfrastructure over time. This is evidenced by the use of sophisticated code obfuscation and code encryption,\r\nwhich improve its stealth and evasiveness against defenders. \r\nAppendix \r\nIndicators of Compromise (IOCs) \r\nWeapon:\r\nMD5:\r\nSHA-256:  \r\nMore_eggs_Dropper \r\nec103191c61e4c5e55282f4ffb188156 \r\nf7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016  \r\nWeapon:\r\nMD5:\r\nSHA-256: \r\n2nd stage of infection filename: ikskck.htm\r\nc16aa3276e4bcbbe212d5182de12c2b7 \r\nbd49b2db669f920d96008047a81e847ba5c2fd12f55cfcc0bb2b11f475cdf76f   \r\nWeapon:\r\nMD5:\r\nSHA-256:  \r\nMore_eggs_JS_BackDoor\r\nebb5fb96bf2d8da2d9f0f6577766b9f1 \r\n2fef6c59fbf16504db9790fcc6759938e2886148fc8acab84dbd4f1292875c6c   \r\nWeapon:\r\nMD5:\r\nSHA-256:  \r\nMore_eggs_JS_BackDoor\r\n 2da2f53ffd9969aa8004d0e1060d2ed1\r\n0af266246c905431e9982deab4ad38aaa63d33a725ff7f7675eb23dd75ca4d83 \r\nWeapon:\r\nMD5:\r\nSHA-256:  \r\nMore_Eggs_JS_BackDoor\r\n17158538b95777541d90754744f41f58\r\nf873352564a6bd6bd162f07eb9f7a137671054f7ef6e71d89a1398fb237c7a7b   \r\nWeapon:\r\nMD5:\r\nMore_Eggs_JS_BackDoor\r\n46f142198eeeadc30c0b4ddfbf0b3ffd\r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 12 of 17\n\nSHA-256: 184788267738dfa09c82462821b1363dbec1191d843da5b7392ee3add19b06fb\r\nWeapon:\r\nMD5:\r\nSHA-256: \r\nMore_Eggs_JS_BackDoor\r\nb1e8602e283bbbdf52df642dd460a2a2\r\nccb05ca9250093479a6a23c0c4d2c587c843974f229929cd3a8acd109424700d  \r\nFile Path: \r\nC:\\Users\\%username%\\AppData\\Roaming\\Adobe\\d{9}.txt         \r\nC:\\Users\\%username%\\AppData\\Roaming\\Adobe\\hex{17}.txt  \r\nC:\\Users\\%username%\\AppData\\Roaming\\Adobe\\msxsl.exe \r\nC:\\Users\\%username%\\AppData\\Roaming\\Adobe\\d{5}.dlll \r\nC:\\Users\\%username%\\AppData\\Roaming\\Adobe\\fCore.txt \r\nNetwork Indicators: \r\nhxxp://doefstf[.]ryanberardi[.]com/ikskck \r\nhxxp://doefstf[.]ryanberardi[.]com \r\nhxxps://tool[.]municipiodechepo[.]org/id/243149 \r\nhxxp://dtde[.]ryanberardi[.]com \r\nhxxp://dtde[.]ryanberardi[.]com/ikskck \r\nhxxps://tool[.]municipiodechepo[.]org/id/243149 \r\nhxxps://beta[.]w3[.]org[.]kz/release/info  \r\nhxxps://host[.]moresecurity[.]kz/host/info  \r\nhxxps://developer[.]master[.]org[.]kz/api/v1  \r\nhxxps://ssl[.]gstatic[.]kz/ui/v2  \r\nhxxps://report[.]monicabellucci[.]kz/295693495/info  \r\nhxxps://cast[.]voxcdn[.]kz/yui/yui-min[.]js  \r\nhxxps://blog[.]jasonlees[.]com/latestnews/info  \r\nhxxps://contactlistsagregator[.]com/j2378745678674623/ajax[.]php  \r\nhxxps://onlinemail[.]kz/version44/info  \r\nhxxps://stats[.]wp[.]org[.]kz/license[.]txt  \r\nhxxps://api[.]incapdns[.]kz/v1  \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 13 of 17\n\nList of Targeted Antivirus Processes\r\nThis section contains a list of processes the More_eggs backdoor looks for on victim devices. CRC32 hashes are\r\ngiven in decimal format, just as they are found in the backdoor. All processes are components of various antivirus\r\napplications. \r\nThe list below shows the names of the processes we were able to decipher from the backdoor.  \r\nProcess Name  CRC32 \r\nvastsvc.exe   184741780  \r\nmsmpeng.exe   4167611121 \r\nns.exe   3917603449 \r\nccsvchst.exe   3237881663 \r\nmcshield.exe   800732934  \r\npccntmon.exe   4056687588  \r\nmbamservice.exe   2432672291 \r\nsavservice.exe   2928704260  \r\navguard.exe   242152363  \r\ncmdagent.exe   3314468719  \r\npsanhost.exe   3103805340  \r\nfshoster32.exe   2447720335  \r\na2service.exe  3576979024  \r\nsbamsvc.exe   3540381638 \r\nnis.exe   61053860  \r\nnst.exe   332293705 \r\nbdss.exe   1864254150 \r\nekrn.exe   3233790880  \r\nnsbu.exe   3707949399 \r\nwrsa.exe   1164644511 \r\navp.exe   1087054291 \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 14 of 17\n\nvsserv.exe   3457522114 \r\ntmntsrv.exe   2229870333  \r\nclamtray.exe   1570161171  \r\ndwengine.exe      1460978182  \r\navgrsx.exe   1863628361 \r\ngzserv.exe   2866464079  \r\nifgbxm.exe   1964687411  \r\nmctray.exe   305523985 \r\nDetections\r\nYara Rules \r\nrule More_eggs_Dropper {\r\nmeta:\r\n description = \"Rule to detect More_eggs_Dropper\"\r\n last_modified = \"2025-04-24\"\r\n author = \"The Arctic Wolf Labs team\"\r\n version = \"1.0\"\r\n sha256 = \"f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016\" \r\nstrings:\r\n $a1 = \"Authorities32\" ascii wide\r\n $a2 = \"Guards128\" ascii wide\r\n $a3 = \"Implications256\" ascii wide\r\n $a4 = \"Monster32\" ascii wide\r\n $a5 = \"Sphere256\" ascii wide\r\ncondition:\r\nuint16(0) == 0x5A4D and filesize \u003c 1MB and ((all of ($a*)))\r\n}\r\nrule More_eggs_JS_BackDoor {\r\nmeta:\r\n description = \"Rule to detect More_eggs_JavaScript\"\r\n last_modified = \"2025-04-24\"\r\n author = \"The Arctic Wolf Labs team\"\r\n version = \"1.0\" \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 15 of 17\n\nstrings:\r\n$a1 = \"var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);\"ascii wide\r\n $a2 = \"function hit_Gate(URL, POSTdata, gResponse, method)\" ascii wide\r\n $a3 = \"function dExec(zURL, myKey, xPE, xEntryP)\" ascii wide\r\n $a4 = \"var xCrypted = zzzz4(Rkey + keynow, not_unique) + keynow;\" ascii wide\r\n $a5 = \"tmp = 3988292384 ^ tmp \u003e\u003e\u003e 1;\"\r\n $a6 = \"cNow !== 3377271179 \u0026\u0026 cNow !== 3106260013 \u0026\u0026\"\r\ncondition:\r\n filesize \u003c 1MB and (2 of ($a*))\r\n}\r\nDetailed MITRE ATT\u0026CK® MAPPING  \r\nTactic  Technique  Sub-Technique Name / Context  \r\nInitial Access  T1566.002 \r\nSpear-phishing Link: The user receives a spear-phishing link as an attack\r\nvector.\r\nExecution  T1204.002 \r\nUser Execution –  Malicious File: To run the malicious code, the user runs a\r\n.lnk file. \r\nExecution  T1059.003 \r\nWindows Command Shell: After running the .lnk file, it launches\r\ncmd.exe with run commands. \r\nExecution  T1059.007  JavaScript: A threat actor runs a JavaScript execution chain.  \r\nPersistence  T1547.001 \r\nRegistry Run Keys / Startup Folder: By modifying the registry, the threat\r\nactor achieves a permanent presence on the system. \r\nDefense\r\nEvasion \r\nT1497.003 \r\nTime Based Evasion: JavaScript launcher and More_eggs_Dropper use\r\nevasion based on meaningless code execution to maximize runtime. \r\nDefense\r\nEvasion \r\nT1027.010 \r\nCommand Obfuscation: All malicious JavaScript files use command\r\nobfuscation.\r\nDefense\r\nEvasion \r\nT1027.013 \r\nEncrypted/Encoded File: More_eggs_Dropper encrypts part of the code\r\nduring payload generation using one of the RC4 encryption types. JavaScript\r\nlauncher uses one of the RC4 encryption types to decrypt JavaScript code at\r\nruntime. \r\nDefense\r\nEvasion \r\nT1027.014 \r\nPolymorphic Code: More_eggs_Dropper generates polymorphic JavaScript\r\nlauncher code. Each time it is generated, the code will always be different in\r\nsize and is modified. In addition to this, each time the first stage of the .lnk\r\nfile is loaded, the code will also be modified on a case-by-case basis. \r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 16 of 17\n\nCommand-and-Control \r\nT1105 \r\nIngress Tool Transfer: The threat actor transfers additional tools to the\r\ncompromised system, such as JavaScript and executable files.  \r\nCommand-and-Control \r\nT1071.001 \r\nWeb Protocols: The threat actor uses Web Protocols to communicate with\r\nthe victim system. \r\nCommand-and-Control \r\nT1573.001 \r\nSymmetric Cryptography: The More_eggs Backdoor uses the RC4\r\nsymmetric encryption algorithm to encrypt data before sending it. The\r\nencryption key is hardcoded in the code.  \r\nDiscovery  T1518.001 \r\nSecurity Software Discovery: More_eggs looks for security program\r\nprocesses on the victim’s system, and sends that information to the threat\r\nagent’s server. \r\nDiscovery  T1016.001 \r\nInternet Connection Discovery: More_eggs periodically connects to a\r\nneutral website to determine whether the compromised system is connected\r\nto the internet or not. \r\nAbout Arctic Wolf Labs\r\nArctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who\r\nexplore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and\r\nrefine advanced threat detection models with artificial intelligence and machine learning, and drive continuous\r\nimprovement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.\r\nArctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security\r\ncommunity at large.\r\nSource: https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nhttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/" ], "report_names": [ "venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434885, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc324c9b6561b6cbcbdd6aad866ae944112af4d8.pdf", "text": "https://archive.orkl.eu/fc324c9b6561b6cbcbdd6aad866ae944112af4d8.txt", "img": "https://archive.orkl.eu/fc324c9b6561b6cbcbdd6aad866ae944112af4d8.jpg" } }