The financially motivated threat group known as Venom Spider has intensified efforts to compromise corporate Human Resources (HR) and recruitment departments by distributing the advanced More_eggs malware through spear-phishing emails disguised as job applications.
Arctic Wolf Labs has reported that these attacks target hiring managers and recruiters who, as part of their regular workflow, frequently open email attachments from unknown sources-making them an attractive vector for exploitation.
Technical Attack Chain and Weaponization
The attack commences when a recruiter receives a convincing phishing email purportedly from a job seeker, with a link to download a resume.
This link directs the victim to an actor-controlled website featuring a CAPTCHA to bypass automated detection systems.
Upon successful interaction, a ZIP file is delivered, containing a malicious Windows shortcut (.lnk) and a decoy image.
The .lnk file, custom-generated for each download using server-side polymorphism, embeds an obfuscated batch script.
Execution of the shortcut script launches WordPad as a diversion and covertly triggers the legitimate Windows utility, ie4uinit.exe, leveraging a well-known Living-off-the-Land (LOTL) tactic to execute further code.
This sequence ultimately results in the retrieval of an obfuscated JavaScript payload from the attacker’s infrastructure.
More_eggs_Dropper: Polymorphic Delivery and Payload Evasion
At the core of this campaign is an upgraded delivery library, dubbed More_eggs_Dropper.
This polymorphic DLL is created in the user’s roaming Adobe directory and is executed via regsvr32, a technique that hinders behavioral detection.
The Dropper library generates further obfuscated JavaScript payloads that utilize delayed execution to evade sandbox analysis, and dynamically writes multiple files including JavaScript launchers and payloads, as well as the legitimate msxsl.exe utility for further code execution.
Each infection instance involves complex decryption routines. The Dropper collects environmental information such as computer name and processor identifier to construct unique keys for the decryption of payloads, using a customized RC4 variant.
These measures effectively thwart standard analysis and make automated detection exceedingly difficult.
The More_eggs backdoor, once established, communicates with Venom Spider’s cloud-based and obfuscated C2 infrastructure.
The attackers employ subdomains, anonymous registration, and multiple hosting providers to frustrate tracking efforts.
Post-infection, the malware harvests detailed system information, including process lists and local IP addresses, before polling the C2 server every three minutes for instructions.
Supported commands enable operators to download and execute arbitrary payloads, remove traces of infection, run additional JavaScript, execute shell commands, and exfiltrate results, providing extensive post-exploitation flexibility.
Venom Spider has previously targeted e-commerce, legal, insurance, and energy sectors but is now broadening its targeting by exploiting the universal need for hiring across nearly all industries.
The reliance of HR staff on handling external attachments means the attack can penetrate organizations irrespective of their sector.
The group’s continued innovation is evident in their development of advanced polymorphic tools, enhanced obfuscation methods, and the deployment of weaponized resumes via legitimate platforms like LinkedIn.
Due to the genuine nature of the phishing lures and advanced evasion strategies, successful defense relies on layered security.
Organizations are urged to implement secure email gateways, endpoint detection and response (EDR) solutions, regular employee phishing awareness training-especially for HR staff-and the use of internal phishing simulations.
System administrators should be vigilant for suspicious .lnk, ISO, or VBS attachments and should routinely analyze logs for indicators of compromise.
Blocking known C2 domains and deploying up-to-date detection rules for More_eggs artifacts are essential in mitigating risk.
This campaign underscores the ongoing evolution of financially motivated cybercrime and highlights the importance of a proactive, defense-in-depth security posture to counter increasingly sophisticated threats targeting organizational weak points.
Indicators of Compromise (IOCs)
| Artifact/File | MD5 | SHA-256 | Description |
|---|---|---|---|
| More_eggs_Dropper DLL | EC103191C61E4C5E55282F4FFB188156 | F7A405795F11421F0996BE0D0A12DA743CC5AAF65F79E0B063BE6965C8FB8016 | Primary polymorphic dropper |
| ikskck.htm (2nd stage infection) | C16AA3276E4BCBBE212D5182DE12C2B7 | BD49B2DB669F920D96008047A81E847BA5C2FD12F55CFCC0BB2B11F475CDF76F | HTML/JS loader |
| More_eggs_JS_BackDoor | EBB5FB96BF2D8DA2D9F0F6577766B9F1 | 2FEF6C59FBF16504DB9790FCC6759938E2886148FC8ACAB84DBD4F1292875C6C | JavaScript backdoor |
| 2DA2F53FFD9969AA8004D0E1060D2ED1 | 0AF266246C905431E9982DEAB4AD38AAA63D33A725FF7F7675EB23DD75CA4D83 | “ | |
| 17158538B95777541D90754744F41F58 | F873352564A6BD6BD162F07EB9F7A137671054F7EF6E71D89A1398FB237C7A7B | “ | |
| 46F142198EEeadc30c0b4ddfbf0b3ffd | 184788267738DFA09C82462821B1363DBEC1191D843DA5B7392EE3ADD19B06FB | “ | |
| B1E8602E283BBDF52DF642DD460A2A2 | CCB05CA9250093479A6A23C0C4D2C587C843974F229929CD3A8ACD109424700D | “ | |
| File Paths | – | – | C:\Users%username%\AppData\Roaming\Adobe$$various] |
| Network Indicators | – | – | hxxp://doefstf[.]ryanberardi[.]com/ikskck |
| hxxps://tool[.]municipiodechepo[.]org/id/243149 | |||
| hxxp://dtde[.]ryanberardi[.]com/ikskck | |||
| See attached file for additional domains |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
