Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims - Arctic Wolf By Arctic Wolf Labs Published: 2025-05-02 · Archived: 2026-04-05 16:54:38 UTC Takeaways  Arctic Wolf® observed a recent campaign by the financially motivated threat group Venom Spider targeting hiring managers with spear-phishing emails. The group abuses legitimate messaging services and job platforms to apply for real jobs using fake malicious resumes that drop a backdoor called More_eggs.   The backdoor can be used for a wide scope of malicious activities, from credential theft to stealing sensitive customer payment data, intellectual property or trade secrets.   Our research found several upgrades that the threat actor made to this malware to infect victims more effectively, and to evade automated analysis techniques like sandboxing.   Organizations should train all employees to recognize the red flags of a phishing attack, particularly those working in departments that must regularly open email attachments as part of their daily job duties, for example, Human Resources.     Summary  As part of our ongoing tracking of the threat actor TA4557 (also known as Venom Spider), the Arctic Wolf® Labs team discovered a new campaign targeting corporate human resources departments and recruiters. The threat group uses phishing techniques to drop an enhanced version of a potent backdoor called More_eggs onto victim devices.   The group has historically targeted industry sectors that use online payment portals or e-commerce sites to do business, which in the past has included the retail, entertainment and pharmacy industries. This change is a tactical step up in terms of targeting, as it puts almost every industry and organization in the group’s crosshairs due to the one thing they all have in common: the need to hire new employees.    In this report, we’ll provide a technical analysis of the campaign, indicators of compromise (IOCs), tips for remediation, and activity detection rules to counter this threat.   MITRE ATT&CK® Highlights  Initial Access  T1566.002  Execution  T1204.002, T1059.003, T1059.007  https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 1 of 17 Persistence  T1547.001  Defense Evasion  T1497.003, T1027.010, T1027.013, T1027.014  Command-and-Control  T1105, T1071.001, T1573.001  Discovery  T1518.001, T1016.001  Weaponization and Technical Overview   Weapons  Obfuscated JavaScript files, Obfuscated .LNK files, PE x86 DLLs  Attack Vector  Spear-phishing  Network Infrastructure  DDNS  Background  Venom Spider is a financially motivated threat group that has been targeting organizations seeking to fill job vacancies via legitimate third-party sites such as LinkedIn for the last couple of years. Since the advent of COVID, the group has steadily refined their tactics, techniques and procedures (TTPs) to embrace the online hiring boom, targeting the one department in every company that has to open attachments from unknown senders as an everyday part of their job: Human Resources.   Since at least October 2023, the threat group has escalated this campaign to directly target recruiters and HR managers with weaponized phishing links purportedly from job seekers, which in fact lead to malicious websites hosting poisoned downloads disguised as fake resumes.   The payload used in the infection chain of this recent activity is the group’s notorious More_eggs malware, a backdoor capable of harvesting sensitive information and carrying out several additional tasks. We discovered and analyzed a new campaign by Venom Spider aimed at spreading this backdoor. Our researchers found several upgrades that the threat actor made to this malware to infect victims more effectively, and to evade automated analysis techniques like sandboxing.  Key Findings   Venom Spider continues to use job seekers as a lure targeting HR departments and corporate recruiters in its phishing campaigns.  These phishing campaigns utilize the modular backdoor known as More_eggs, which generates malicious payloads crafted for execution exclusively on the individual systems under attack.  Server polymorphism is used to deliver these payloads to the victim’s system.  We reveal new functionality that we refer to as the More_eggs_Dropper library. This generates malicious JavaScript code polymorphically, featuring several techniques to evade analysis.  Victimology  https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 2 of 17 Historically, the money-motivated Venom Spider has focused on U.S-based e-commerce companies or those that use online payment systems, including organizations in industries such as accounting, legal firms, workforce solutions, insurance, energy providers, food suppliers and building suppliers. More recently, the group has pivoted to target the HR departments of various companies using social engineering techniques such as phishing, for the sake of credential theft and financial gain.   The recruiters and hiring managers who work in HR departments are often considered to be the weak point in an organization by attackers, as the very nature of their job means that they must regularly open email attachments (e.g.: resumes and cover letters) emailed to them from external and unknown sources, including job candidates and hiring agencies.    Attack Vector  The first stage of execution in this Venom Spider campaign is a spear phishing email sent directly to the victim corporate recruiter or hiring manager. The message contains a link purportedly for the manager to download the job seeker’s resume from an external site. If the manager clicks the link, they are taken to an actor-controlled website from which the recruiter can download a (decoy) resume. On this site, the human user must check a CAPTCHA box, a precaution that helps the site bypass automatic scanners.   Figure 1: Malicious website offering a fake resume.  If the victim successfully passes the CAPTCHA test, a zip file is downloaded to their device which the recruiter is lead to believe is the candidate’s resume. Instead, the zip file contains a malicious Windows shortcut (.lnk) file as well as an image file. The .lnk file is the payload for the first stage of the attack chain, while the g.jpg image file is just a distraction.   The threat actor’s infrastructure that issues the .lnk file supports server polymorphism. What that means is that a new malicious .lnk file will be generated for each individual download, which changes the code obfuscation and file size each time.   https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 3 of 17 Figure 2: Contents of the zip file “Ryan Berardi.zip” (g.jpg and Ryan Berardy.lnk). The .lnk file contains an obfuscated .bat script, which performs several actions when the .lnk file is opened. We managed to obtain several LNK files that had different file sizes (11500-11900 bytes) that were generated on the server side. These malicious files all had the same functionality, but they had completely different code obfuscation.  Figure 3: Obfuscated Windows Command Shell script in the downloaded LNK file.  The script creates a file called %temp%\ieuinit.inf at the following path and writes obfuscated commands to it.   https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 4 of 17 Figure 4: Contents of the ieuinit.inf file.   The script executes the Windows batch file code below:  @echo off start "" "%ProgramFiles%\Windows NT\Accessories\wordpad.exe" echo [version] > "%temp%\ieuinit.inf" echo Signature=$CHICAGO$ >> "%temp%\ieuinit.inf" echo [DefaultInstall] >> "%temp%\ieuinit.inf" cacls "%windir%\system32\ie4uinit.exe" /Y /C /Q When this code is executed, the Microsoft WordPad application is automatically launched in a ploy to distract the user, who is meant to believe the promised resume is being opened. The batch script will then covertly launch the legitimate Windows utility %windir%\system32\ie4uinit.exe, which in turn executes the commands from the file ieuinit.inf. As configured, the contents of this .inf file will trigger execution of commands within the malicious %temp%\ieuinit.inf file.  This is a living-off-the-land (LOTL) technique that has been around for a while. The essence of this technique is to use a legitimate application – in this case, ie4uinit.exe – to execute commands and run JavaScript code. Venom Spider has been using the technique of running JavaScript code with different variations for a long time.  In this instance, the ieuinit.inf file contains the URL of the next step in the attack chain, hxxp://doefstf[.]ryanberardi[.]com/ikskck. A large and heavily obfuscated JavaScript payload is embedded within the HTML code hosted at this location. https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 5 of 17 Figure 5: Obfuscated JavaScript code that contains encrypted data (ikskck).  Introducing the More_eggs_Dropper Library After running the previous stage received from the remote malicious server, the JavaScript code creates an executable library in the following location: C:\Users\%username%\AppData\Roaming\Adobe\d{5}.dll In this article, we will refer to this library as More_eggs_Dropper.    SHA-256  F7A405795F11421F0996BE0D0A12DA743CC5AAF65F79E0B063BE6965C8FB8016   MD5  EC103191C61E4C5E55282F4FFB188156    File Name  38754.dll (The file name will be randomly generated)  File Size  317440  Compilation Stamp  Tue Apr 08 14:30:58 2025  File Type  x86 PE DLL  More_eggs_Dropper is started on the system with the following command: regsvr32 /s /n /i:Ferc "C:\Users\%username%\AppData\Roaming\Adobe\d{5}.dll" The More_eggs_Dropper executable library is complex, utilizing obfuscated code that generates JavaScript code polymorphically. Execution of the library is time-delayed to evade sandboxing and analysis by researchers. When https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 6 of 17 it is executed, it creates several files in the following directories: C:\Users\%username%\AppData\Roaming\Adobe\d{9}.txt# JavaScript launcher C:\Users\%username%\AppData\Roaming\Adobe\hex{17}.txt # JavaScript Payload C:\Users\%username%\AppData\Roaming\Adobe\msxsl.exe More_eggs_Dropper creates a legitimate Windows msxsl.exe executable to run XML files that may also contain JavaScript code. This technique is known to have been used by Venom Spider in previous campaigns.   The second file that creates More_eggs_Dropper is a small JavaScript that executes the launch of the main payload located within the JavaScript Payload. After running these scripts, More_eggs_Dropper is quietly removed from the system. Figure 6: Deobfuscated code of JavaScript launcher.   The JavaScript payload is the main malicious code in this attack chain.   The code of this JavaScript is very similar to the loader that is also used by Venom Spider called TerraLoader. The threat actor improved this loader and added more string obfuscation and code encryption.    More_eggs_Dropper cleverly generates a new JavaScript payload each time it runs. The JavaScript executed on victim devices is highly obfuscated, and contains two blocks of encrypted data. This data contains the JavaScript code used in the next layer.    Decryption of the first JavaScript layer is performed by a hard-coded key (10-20 bytes in size) combined with an additional three bytes, which are obtained by the script through brute force. The threat actor applies this technique for the purpose of evading analysis, which is feasible to the threat actor considering that the last three bytes of the key typically take several minutes to be found through brute force. The code used for encryption is a variation of RC4.  Payload Decryption Here is an example of a decryption key for the first encrypted payload: WJxQNWvJVK866 https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 7 of 17 As previously noted, the last three bytes in this string are obtained through brute force on infected devices.  During JavaScript generation, More_eggs_Dropper obtains the computer name and %PROCESSOR_IDENTIFER%. It then adds this data to an already known key and uses it as a decryption key for the second layer payload. For example:  WJxQNWvJVK866Name-PCIntel64 Family 6 Model 142 Stepping 10, GenuineIntel The technique used to generate this decryption key complicates analysis of this attack, preventing automatic decryption of the payload when executed in a sandbox environment. In practice, it is impossible to obtain the final stage of More_eggs without having encryption keys that are specifically generated for the devices being targeted. Figure 7: Venom Spider’s JavaScript dropper payload.  During our analysis, we were able to obtain a final payload of More_eggs, which contained new command-and-control (C2) commands to interact with the malicious server. We were also able to identify the C2 configuration used in this campaign:  hxxps://tool[.]municipiodechepo[.]org/id/243149 After launching the More_eggs payload, the backdoor collects information about the victim’s system and sends it to a remote server for further processing by the threat actor.    OS Installation Date Hash Converted to hex ASCII  Antivirus (AV) List AV details are encoded as letters (i.e., a, b, c, etc.). The names of running processes in the system are converted to crc32 hashes, and they are compared to 53 hashes. Most of these hashes have been retrieved. See Appendix for further details.  Username 0 if invalid.   https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 8 of 17 Computer Name 0 if invalid.   OS Version e.g., 10.0.  Product Type 1 for WinNT, 3 for others. OS Build Retrieved as Build (e.g., 19045).   Architecture 1 for 64-bit, 0 for 32-bit.   Local IP  Local IP address is collected.  Bot Version  “BV = 6.7a” Hardcoded in JavaScript.   Next, the backdoor waits for a response from the server, establishing a connection every three minutes.   The following C2 commands are supported by the backdoor:   C2 command  Description  d&exec  Downloads and runs the PE file that is downloaded via a URL provided from a remote server.  gtfo  Removes all traces of infection including files and registry entries.  more_onion  Runs the fCore.txt file through msxsl.exe. The fCore.txt file contains additional JavaScript.   via_c  The С2 command runs cmd.exe with the command received from the remote server.  more_time  Records the result of commands executed in cmd.exe, encodes them, and then sends them back to the threat actor’s remote server.  Based on the C2 commands contained in the backdoor, we assess that threat actors using this backdoor have the ability to run additional JavaScript code or executable files on the victim’s system.   https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 9 of 17 Figure 8: The configuration of the More_eggs bot specified at the beginning of the file.  Network Infrastructure  The network infrastructure utilized by Venom Spider has become disparate and well obfuscated in recent years. In previous More_eggs campaigns, the infrastructure could be tracked to some degree by whois information and hosting providers.   This current campaign is utilizing cloud hosted infrastructure and anonymous domain registration. The threat group has taken the time to use multi-level URLs for C2 communication to avoid scanners like Censys and Shodan. The actors, while using domains that were previously registered, also utilize only subdomains to further impede automated tracking efforts.  In the current campaign infrastructure, both municipiodechepo[.]org and ryanberardi[.]com have current registrant organizations of “Domains By Proxy, LLC.” Both domains are hosted on Amazon. While the phishing subdomain is still hosted on the Amazon cloud, the malicious C2 subdomain is hosted on a separate service through GoDaddy, at the IP address 208[.]109.231[.]95.  Domain  Description  doefstf[.]ryanberardi[.]com  Phishing/Delivery  dtde[.]ryanberardi[.]com  Phishing/Delivery  tool[.]municipiodechepo[.]org  C2 Attack Flow  https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 10 of 17 Figure 9: Venom Spider attack flow (click to enlarge). Remediation  Due to Venom Spider’s use of social engineering, including the targeting of corporate HR and other hiring staff with realistic-looking job application phishing emails and actor-controlled “resume” websites, organizations that make use of third-party job posting websites (including sites like LinkedIn, Indeed.com and similar) should regularly train employees on identifying and countering spear phishing attacks.   Employees who work in vulnerable departments such as HR and Recruitment should receive additional training that teaches them to always be extra-wary of attachments that are LNK, ISO, or VBS files. These file-types are often sent as zip files to bypass email filters. Employees should be taught to routinely inspect attachment files by right clicking the file and selecting “Properties” (on Windows) or “Get Info” (on Mac) before opening them.  In addition, organizations can protect themselves by exercising the following measures:   Consider the use of Secure Email Gateway solutions to help proactively filter out malicious emails.  Implement an Endpoint Detection and Response (EDR) solution such as Arctic Wolf® Aurora™ Endpoint Security.  Ensure all employees throughout the company are aware of good security hygiene practices, including awareness of social engineering.  Add or enable a phishing report button in your organization’s email solution, to empower employees to immediately report suspected phishing emails to your SOC or IT security team.  Consider conducting regular internal phishing tests to reinforce security training.  Block identified command-and-control infrastructure used in this campaign.   Deploy detection rules for More_eggs components.   https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 11 of 17 Carefully review logs for indicators of compromise. How Arctic Wolf Protects its Customers  Arctic Wolf is committed to ending cyber risk with its customers, and when active campaigns are identified we move quickly to protect our customers.   Arctic Wolf Labs has leveraged threat intelligence around Venom Spider activity to implement new detections in the Arctic Wolf® Aurora™ Platform to protect customers. As we discover new information, we will enhance our detections to account for additional IOCs and techniques leveraged by this threat actor.  Conclusion   Our recent findings suggest that Venom Spider is using the More_eggs backdoor campaign to target Human Resources departments and is highly focused on the long-term survivability of its campaigns.    The threat actor has demonstrated a continued investment in the development and maintenance of its backdoor infrastructure over time. This is evidenced by the use of sophisticated code obfuscation and code encryption, which improve its stealth and evasiveness against defenders.  Appendix  Indicators of Compromise (IOCs)  Weapon: MD5: SHA-256:   More_eggs_Dropper  ec103191c61e4c5e55282f4ffb188156  f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016   Weapon: MD5: SHA-256:  2nd stage of infection filename: ikskck.htm c16aa3276e4bcbbe212d5182de12c2b7  bd49b2db669f920d96008047a81e847ba5c2fd12f55cfcc0bb2b11f475cdf76f    Weapon: MD5: SHA-256:   More_eggs_JS_BackDoor ebb5fb96bf2d8da2d9f0f6577766b9f1  2fef6c59fbf16504db9790fcc6759938e2886148fc8acab84dbd4f1292875c6c    Weapon: MD5: SHA-256:   More_eggs_JS_BackDoor  2da2f53ffd9969aa8004d0e1060d2ed1 0af266246c905431e9982deab4ad38aaa63d33a725ff7f7675eb23dd75ca4d83  Weapon: MD5: SHA-256:   More_Eggs_JS_BackDoor 17158538b95777541d90754744f41f58 f873352564a6bd6bd162f07eb9f7a137671054f7ef6e71d89a1398fb237c7a7b    Weapon: MD5: More_Eggs_JS_BackDoor 46f142198eeeadc30c0b4ddfbf0b3ffd https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 12 of 17 SHA-256: 184788267738dfa09c82462821b1363dbec1191d843da5b7392ee3add19b06fb Weapon: MD5: SHA-256:  More_Eggs_JS_BackDoor b1e8602e283bbbdf52df642dd460a2a2 ccb05ca9250093479a6a23c0c4d2c587c843974f229929cd3a8acd109424700d   File Path:  C:\Users\%username%\AppData\Roaming\Adobe\d{9}.txt          C:\Users\%username%\AppData\Roaming\Adobe\hex{17}.txt   C:\Users\%username%\AppData\Roaming\Adobe\msxsl.exe  C:\Users\%username%\AppData\Roaming\Adobe\d{5}.dlll  C:\Users\%username%\AppData\Roaming\Adobe\fCore.txt  Network Indicators:  hxxp://doefstf[.]ryanberardi[.]com/ikskck  hxxp://doefstf[.]ryanberardi[.]com  hxxps://tool[.]municipiodechepo[.]org/id/243149  hxxp://dtde[.]ryanberardi[.]com  hxxp://dtde[.]ryanberardi[.]com/ikskck  hxxps://tool[.]municipiodechepo[.]org/id/243149  hxxps://beta[.]w3[.]org[.]kz/release/info   hxxps://host[.]moresecurity[.]kz/host/info   hxxps://developer[.]master[.]org[.]kz/api/v1   hxxps://ssl[.]gstatic[.]kz/ui/v2   hxxps://report[.]monicabellucci[.]kz/295693495/info   hxxps://cast[.]voxcdn[.]kz/yui/yui-min[.]js   hxxps://blog[.]jasonlees[.]com/latestnews/info   hxxps://contactlistsagregator[.]com/j2378745678674623/ajax[.]php   hxxps://onlinemail[.]kz/version44/info   hxxps://stats[.]wp[.]org[.]kz/license[.]txt   hxxps://api[.]incapdns[.]kz/v1   https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 13 of 17 List of Targeted Antivirus Processes This section contains a list of processes the More_eggs backdoor looks for on victim devices. CRC32 hashes are given in decimal format, just as they are found in the backdoor. All processes are components of various antivirus applications.  The list below shows the names of the processes we were able to decipher from the backdoor.   Process Name  CRC32  vastsvc.exe   184741780   msmpeng.exe   4167611121  ns.exe   3917603449  ccsvchst.exe   3237881663  mcshield.exe   800732934   pccntmon.exe   4056687588   mbamservice.exe   2432672291  savservice.exe   2928704260   avguard.exe   242152363   cmdagent.exe   3314468719   psanhost.exe   3103805340   fshoster32.exe   2447720335   a2service.exe  3576979024   sbamsvc.exe   3540381638  nis.exe   61053860   nst.exe   332293705  bdss.exe   1864254150  ekrn.exe   3233790880   nsbu.exe   3707949399  wrsa.exe   1164644511  avp.exe   1087054291  https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 14 of 17 vsserv.exe   3457522114  tmntsrv.exe   2229870333   clamtray.exe   1570161171   dwengine.exe      1460978182   avgrsx.exe   1863628361  gzserv.exe   2866464079   ifgbxm.exe   1964687411   mctray.exe   305523985  Detections Yara Rules  rule More_eggs_Dropper { meta: description = "Rule to detect More_eggs_Dropper" last_modified = "2025-04-24" author = "The Arctic Wolf Labs team" version = "1.0" sha256 = "f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016" strings: $a1 = "Authorities32" ascii wide $a2 = "Guards128" ascii wide $a3 = "Implications256" ascii wide $a4 = "Monster32" ascii wide $a5 = "Sphere256" ascii wide condition: uint16(0) == 0x5A4D and filesize < 1MB and ((all of ($a*))) } rule More_eggs_JS_BackDoor { meta: description = "Rule to detect More_eggs_JavaScript" last_modified = "2025-04-24" author = "The Arctic Wolf Labs team" version = "1.0" https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 15 of 17 strings: $a1 = "var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);"ascii wide $a2 = "function hit_Gate(URL, POSTdata, gResponse, method)" ascii wide $a3 = "function dExec(zURL, myKey, xPE, xEntryP)" ascii wide $a4 = "var xCrypted = zzzz4(Rkey + keynow, not_unique) + keynow;" ascii wide $a5 = "tmp = 3988292384 ^ tmp >>> 1;" $a6 = "cNow !== 3377271179 && cNow !== 3106260013 &&" condition: filesize < 1MB and (2 of ($a*)) } Detailed MITRE ATT&CK® MAPPING   Tactic  Technique  Sub-Technique Name / Context   Initial Access  T1566.002  Spear-phishing Link: The user receives a spear-phishing link as an attack vector. Execution  T1204.002  User Execution –  Malicious File: To run the malicious code, the user runs a .lnk file.  Execution  T1059.003  Windows Command Shell: After running the .lnk file, it launches cmd.exe with run commands.  Execution  T1059.007  JavaScript: A threat actor runs a JavaScript execution chain.   Persistence  T1547.001  Registry Run Keys / Startup Folder: By modifying the registry, the threat actor achieves a permanent presence on the system.  Defense Evasion  T1497.003  Time Based Evasion: JavaScript launcher and More_eggs_Dropper use evasion based on meaningless code execution to maximize runtime.  Defense Evasion  T1027.010  Command Obfuscation: All malicious JavaScript files use command obfuscation. Defense Evasion  T1027.013  Encrypted/Encoded File: More_eggs_Dropper encrypts part of the code during payload generation using one of the RC4 encryption types. JavaScript launcher uses one of the RC4 encryption types to decrypt JavaScript code at runtime.  Defense Evasion  T1027.014  Polymorphic Code: More_eggs_Dropper generates polymorphic JavaScript launcher code. Each time it is generated, the code will always be different in size and is modified. In addition to this, each time the first stage of the .lnk file is loaded, the code will also be modified on a case-by-case basis.  https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 16 of 17 Command-and-Control  T1105  Ingress Tool Transfer: The threat actor transfers additional tools to the compromised system, such as JavaScript and executable files.   Command-and-Control  T1071.001  Web Protocols: The threat actor uses Web Protocols to communicate with the victim system.  Command-and-Control  T1573.001  Symmetric Cryptography: The More_eggs Backdoor uses the RC4 symmetric encryption algorithm to encrypt data before sending it. The encryption key is hardcoded in the code.   Discovery  T1518.001  Security Software Discovery: More_eggs looks for security program processes on the victim’s system, and sends that information to the threat agent’s server.  Discovery  T1016.001  Internet Connection Discovery: More_eggs periodically connects to a neutral website to determine whether the compromised system is connected to the internet or not.  About Arctic Wolf Labs Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large. Source: https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/ Page 17 of 17