These Are Not Easter Eggs

8769967073?profile=RESIZE_400xA new spear-phishing campaign is targeting professionals on LinkedIn with weaponized job offers in an attempt to infect targets with a sophisticated backdoor trojan called "more_eggs."  More_eggs virus is a backdoor Trojan that is utilized by Cobalt Group and other criminal gangs to attack corporations and regular users More_eggs virus is a backdoor Trojan that was used by infamous cybercriminal group the Cobalt Group More_eggs is written in JavaScript programming language. To increase the odds of success, the phishing lures take advantage of malicious ZIP archive files that have the same name as that of the victims' job titles taken from their LinkedIn profiles.

"For example, if the LinkedIn member's job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the 'position' added to the end)," cybersecurity firm eSentire's Threat Response Unit (TRU) said in an analysis. "Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs."


Campaigns delivering more_eggs using the same modus operandi have been spotted at least since 2018, with the backdoor attributed to a malware-as-a-service (MaaS) provider called Golden Chickens. The adversaries behind this new wave of attacks remain unknown as yet, although more_eggs has been put to use by various cybercrime groups such as Cobalt, FIN6, and EvilNum in the pas 

Once installed, more_eggs maintains a stealthy profile by hijacking legitimate Windows processes while presenting the decoy "employment application" document to distract targets from ongoing background tasks triggered by the malware. Furthermore, it can act as a conduit to retrieve additional payloads from an attacker-controlled server, such as banking trojans, ransomware, credential stealers, and even use the backdoor as a foothold in the victim's network so as to exfiltrate dat

Trojans like More_eggs can be a significant threat to users' privacy and computer safety. These trojans are often used to inject systems with additional malware, such as data-tracking trojansransomwarecryptominers, and so on. Data-tracking infections record keystrokes, saved logins/passwords, banking details, and other similar personal data. Cyber criminals attempt to generate as much revenue as possible. Therefore, they can misuse hijacked accounts to steal victims' savings and even identities. Ransomware compromises data (usually by encryption) and makes ransom demands in exchange for recovery of the system. Note that cyber criminals cannot be trusted. Whatever the cost, never agree to pay, since you will be scammed.

Cryptomining applications misuse infiltrated systems to mine cryptocurrency without users' consent. Cryptomining can take up to 100% of system resources, thus making the system unstable (it can crash) and virtually unusable (it barely responds). Furthermore, fully-loaded hardware generates excessive heat. Therefore, within certain circumstances (e.g., high room temperatures, bad cooling systems, etc.), system components can overheat and be permanently damaged. 

If anything, the latest development is yet another indication of how threat actors are constantly tweaking their attacks with personalized lures in an attempt to trick unsuspecting users into downloading malware.

"Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment," the researchers said. "Thus, a customized job lure is even more enticing during these troubled times."

Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at at no charge. Many past tactics are reused in current malicious campaigns.

Red Sky Alliance is a Cyber  Threat  Analysis  and  Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or 

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!