golden-chickn

Golden Chickens’ Modular MaaS: TerraStealerV2, TerraLogger, and the Evolving Threat to Financial and Recruitment Sectors

Golden Chickens (aka Venom Spider) is a financially motivated Eastern European threat actor operating a modular malware-as-a-service (MaaS) platform since at least 2017..

Wes

Wes

15 min read
Golden Chickens’ Modular MaaS: TerraStealerV2, TerraLogger, and the Evolving Threat to Financial and Recruitment Sectors
Happy MothersDay!

thanks for all the ... eggs?

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

  1. what do you know about venom spider (golden chickens)?
  2. What are the known affiliations or overlaps between Golden Chickens and other financially motivated threat groups like FIN6 and Cobalt Group in terms of shared infrastructure or malware?
  3. What are the unique TTPs Golden Chickens employs that differentiate it from other MaaS providers, and how can these be leveraged for attribution and defense?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

Suggested Pivot

How does the shared use of Golden Chickens' MaaS platform by groups like FIN6 and Cobalt Group complicate attribution efforts, and what are the implications for identifying and disrupting shared infrastructure and malware code reuse?

TL;DR

Key Points

    • Golden Chickens (Venom Spider) operates a sophisticated malware-as-a-service (MaaS) platform, supplying modular malware (e.g., More_eggs, TerraStealerV2, TerraLogger, Venom Loader, RevC2) to financially motivated threat actors.
    • Their tools are leveraged by groups like FIN6 and Cobalt Group, complicating attribution and expanding operational reach.
    • Recent campaigns focus on spearphishing with malicious LNK files, targeting recruitment and financial sector employees using fake job offers and resumes.
    • These vectors exploit user trust and bypass some email security controls, increasing initial access success rates.
    • New malware families (TerraStealerV2, TerraLogger) introduce advanced credential theft, keylogging, and evasion techniques, including regsvr32-based OCX execution, XOR obfuscation, and exfiltration via Telegram and custom C2 domains.
    • Detection requires updated EDR rules, behavioral analytics, and monitoring for LOLBins and obfuscated network traffic.
    • Golden Chickens’ MaaS model is likely to evolve, with anticipated expansion into ransomware, AI-driven automation, and more sophisticated data exfiltration modules.
    • Enterprises must invest in adaptive security architectures, AI-powered detection, and cross-sector intelligence sharing to counter these threats.
    • Actionable recommendations include advanced email filtering, targeted user training, EDR and NIPS deployment, automated response playbooks, least privilege enforcement, and continuous threat intelligence integration.
    • Regular review and tuning of detection rules, playbooks, and user awareness programs are critical.

Executive Summary

Golden Chickens (aka Venom Spider) is a financially motivated Eastern European threat actor operating a modular malware-as-a-service (MaaS) platform since at least 2017. Their toolkit includes More_eggs, TerraStealerV2, TerraLogger, Venom Loader, and RevC2, which are distributed to other cybercrime groups such as FIN6 and Cobalt Group. The group’s primary attack vector is spearphishing, leveraging malicious Windows shortcut (LNK) files disguised as job offers or resumes to target employees in financial, retail, industrial, and recruitment sectors.

Recent technical developments include the deployment of TerraStealerV2 and TerraLogger, which feature advanced credential theft, keylogging, and evasion capabilities. These malware families utilize regsvr32-based OCX execution, XOR string deobfuscation, and exfiltration via Telegram and custom C2 domains, complicating detection and response. Venom Loader and RevC2 further enhance modular payload delivery, persistence, and multi-faceted espionage through techniques like DLL side-loading and WebSocket-based C2.

Golden Chickens’ operations are characterized by shared infrastructure, overlapping TTPs, and code reuse with other financially motivated groups, making attribution challenging. The group is expected to evolve its MaaS offerings to include ransomware and AI-driven automation, increasing the sophistication and impact of future campaigns.

To mitigate these threats, enterprises should deploy advanced email and endpoint security controls, conduct targeted user training, implement automated response playbooks, enforce least privilege and network segmentation, and integrate continuous threat intelligence. Proactive threat hunting, regular simulation exercises, and participation in industry intelligence sharing groups are essential to stay ahead of Golden Chickens’ evolving tactics.

Attribution

Known Aliases

  • Venom Spider
  • badbullzvenom
  • badbullz
  • Lucky (early alias)
  • Jack (persona name)

Historical Context

Golden Chickens, also known as Venom Spider, is a financially motivated cybercrime threat actor active since at least 2017. The group operates a sophisticated malware-as-a-service (MaaS) platform, providing modular malware families such as TerraStealer, TerraLoader, More_eggs backdoor, RevC2, and Venom Loader. Their operations have targeted financial institutions, retail, industrial services, hospitality, and other sectors globally. The group is known for leveraging social engineering tactics, including spearphishing with fake job offers and malicious Windows shortcut files (LNK), to gain initial access. The operator behind the group is believed to be individuals from Moldova and Montreal, Canada.

Timeline

  • 2017: More_eggs backdoor first observed targeting Russian businesses, including financial institutions.
  • 2018: More_eggs JavaScript backdoor attributed to operator "badbullzvenom" (aka Jack) from Moldova.
  • 2019: IBM X-Force IRIS reports More_eggs targeting multinational organizations via LinkedIn and email lures.
  • 2022-2024: Emergence of new malware families TerraStealerV2, TerraLogger, RevC2, and Venom Loader.
  • 2024-2025: Campaigns using fake job applicant lures continue, targeting recruiters and financial sector employees.

Origin

Golden Chickens is attributed to cybercriminal operators based in Eastern Europe, specifically Moldova and Montreal, Canada. The group is known for developing and operating a MaaS platform that supplies malware tools to other financially motivated threat actors.

Countries Targeted

  1. United States – Large financial and retail sectors targeted.
  2. United Kingdom – High-profile attacks on British Airways, Ticketmaster UK.
  3. Russia – Early targets including financial institutions and mining firms.
  4. Canada – Targeted in campaigns, possibly due to operator location.
  5. Other multinational organizations – Various sectors globally.

Sectors Targeted

  1. Financial Institutions – Primary targets for theft and fraud.
  2. Retail – Targeted for payment data and financial gain.
  3. Industrial Services – Targeted via spearphishing campaigns.
  4. Hospitality – Victims include organizations in this sector.
  5. Technology and Engineering – Targeted roles related to hiring and sales engineering.

Motivation

Golden Chickens is financially motivated, operating a MaaS platform enabling multiple cybercrime groups to conduct financially driven attacks such as credential theft, ransomware deployment, and data exfiltration.

Attack Types

  • Spearphishing with social engineering lures (fake job offers, fake resumes)
  • Malware distribution via malicious Windows shortcut files (LNK), ZIP archives, and obfuscated scripts
  • Use of modular malware families including More_eggs backdoor, TerraStealer, TerraLoader, RevC2, and Venom Loader
  • Command and control communication using HTTP/S with obfuscation
  • Persistence via registry modifications and use of legitimate Windows utilities (LOLBins) for defense evasion
  • Credential theft, keylogging, remote code execution, and network proxying

Breaches Involving This Threat Actor

No specific public breach disclosures directly attributed to Golden Chickens were found in the last year. However, their malware has been linked to campaigns targeting high-value organizations in financial, retail, and industrial sectors. Their malware is used by other financially motivated groups like FIN6 and Cobalt Group, which have been involved in significant breaches.

  • FIN6: A Russia-based financially motivated cybercrime group known for targeting financial institutions and enterprises. FIN6 uses Golden Chickens' MaaS tools, including the More_eggs backdoor, in spearphishing campaigns targeting recruiters with fake job applications. Shared TTPs include use of malicious LNK files, social engineering, and modular malware.
  • Cobalt Group: Another Russia-based financially motivated group leveraging Golden Chickens' malware, including More_eggs, in operations targeting financial institutions. Shared infrastructure and malware code overlaps have been observed.
  • Evilnum: Eastern European cybercrime group linked to Golden Chickens' malware, involved in espionage and financial theft, also using similar malware tools and delivery methods.

Similar Threat Actor Groups

  • ClickFix: Shares overlapping tactics with Golden Chickens, including use of LNK files and social engineering.
  • SideCopy: Pakistani financially motivated threat actor with similar phishing and malware distribution tactics, including overlaps with Golden Chickens' VenomLNK malware.

Technical Evidence of Affiliations

  • Shared use of the More_eggs JScript backdoor by Golden Chickens, FIN6, and Cobalt Group
  • Overlapping TTPs such as spearphishing with malicious LNK files disguised as resumes or job offers
  • Shared infrastructure including command and control servers and malware loaders like TerraLoader
  • Malware code overlaps and reuse of modular malware components across campaigns attributed to these groups
  • Attribution to the same operator "badbullzvenom" (aka Jack) who developed More_eggs and related malware tools used by FIN6 and Cobalt Group

MITRE ATT&CK Techniques and TTPs

  1. T1566.001 – Spearphishing Attachment (Malicious LNK files)
  2. T1204.002 – User Execution: Malicious File
  3. T1059.005 – Command and Scripting Interpreter: Visual Basic / JScript
  4. T1071.001 – Application Layer Protocol: Web Protocols (C2 communication)
  5. T1543.003 – Create or Modify System Process (Persistence via registry)
  6. T1047 – Windows Management Instrumentation (Execution and discovery)
  7. T1112 – Modify Registry
  8. T1027 – Obfuscated Files or Information (Defense evasion)
  9. T1055 – Process Injection (Observed in some malware variants)
  10. T1083 – File and Directory Discovery
  11. T1005 – Data from Local System (Credential theft)
  12. T1113 – Screen Capture
  13. T1056.001 – Input Capture: Keylogging
  14. T1070.004 – Indicator Removal on Host: File Deletion
  15. T1499 – Endpoint Denial of Service (Ransomware deployment)

Actionable Recommendations

  1. Email Security and User Awareness

    • Deploy advanced email filtering to detect spearphishing with malicious LNK attachments.
    • Conduct targeted user training on recognizing social engineering tactics, especially fake job offers and resumes.

  2. Endpoint Detection and Response (EDR)

    • Implement EDR solutions with detection rules for obfuscated scripts, malicious LNK files, and suspicious use of Windows utilities (e.g., ie4uinit.exe, regsvr32.exe).
    • Example Sigma rule snippet for detecting suspicious LNK execution:
      title: Suspicious LNK File Execution
id: 12345678-90ab-cdef-1234-567890abcdef
status: experimental
description: Detects execution of LNK files with obfuscated commands
detection:
  selection:
    Image|endswith: '\cmd.exe'
    CommandLine|contains: '.lnk'
  condition: selection
    • Use YARA rules to detect More_eggs backdoor samples based on known strings and obfuscation patterns.

  3. Network Monitoring and Intrusion Prevention

    • Monitor and block known C2 domains and IPs associated with Golden Chickens and affiliated groups.
    • Deploy network intrusion prevention systems (NIPS) to detect and disrupt C2 traffic.

  4. Automated Response Playbooks

    • Use platforms like Trend Micro Vision One to automate detection and response workflows, including endpoint isolation and IOC blocking.

  5. Least Privilege and Network Segmentation

    • Enforce least privilege access controls and segment networks to limit lateral movement.

  6. Patch Management

    • Maintain up-to-date systems and software to reduce exploitation risk.

  7. Threat Intelligence Integration

    • Subscribe to reputable threat intelligence feeds for timely updates on TTPs, IOCs, and emerging malware variants.

Forward-Looking Analysis

Golden Chickens' MaaS model is likely to evolve in response to increased law enforcement pressure and cybersecurity defenses. Anticipated trends include:

  • Development of more sophisticated malware variants with enhanced evasion capabilities
  • Expansion of MaaS offerings to include ransomware and data exfiltration modules
  • Increased collaboration with other financially motivated groups, potentially blurring attribution further
  • Use of more convincing social engineering lures leveraging current events and industry-specific themes
  • Greater automation in attack delivery and response evasion, requiring enterprises to adopt AI-driven detection and response solutions

Enterprises should prepare for these developments by investing in adaptive security architectures, continuous threat hunting, and cross-industry intelligence sharing.

Recommendations, Actions and Next Steps

Recommendations

  1. Enhance Email Security and User Awareness

    • Deploy advanced email filtering solutions configured to detect spearphishing attempts involving malicious LNK files and social engineering lures such as fake job offers and resumes. Enable attachment sandboxing, block executable file types like LNK by default, and use DMARC, DKIM, and SPF to reduce spoofing.
    • Conduct targeted, role-specific user training for employees in recruitment, financial, retail, and industrial sectors. Use simulated phishing campaigns focused on fake job offers and resumes to improve detection and reporting rates.
    • Establish a feedback loop for users to report suspicious emails, enabling prompt analysis and response by security teams.

  2. Deploy and Optimize Endpoint Detection and Response (EDR)

    • Implement EDR tools with detection rules for obfuscated scripts, suspicious LNK file executions, and the use of legitimate Windows utilities (LOLBins) such as ie4uinit.exe and regsvr32.exe for persistence and defense evasion.
    • Use or develop Sigma rules to detect suspicious LNK execution, for example:
      title: Suspicious LNK File Execution
id: 12345678-90ab-cdef-1234-567890abcdef
description: Detects execution of LNK files with obfuscated commands
detection:
  selection:
    Image|endswith: '\cmd.exe'
    CommandLine|contains: '.lnk'
  condition: selection
    • Incorporate YARA rules to detect More_eggs backdoor samples based on known strings and obfuscation patterns. Regularly update detection signatures based on threat intelligence feeds.

  3. Strengthen Network Monitoring and Intrusion Prevention

    • Continuously monitor network traffic for command and control (C2) communications using HTTP/S protocols with obfuscation patterns linked to Golden Chickens and affiliated groups.
    • Block known malicious domains and IP addresses associated with their infrastructure using DNS filtering and firewall rules.
    • Deploy network intrusion prevention systems (NIPS) to detect and disrupt C2 traffic and lateral movement attempts. Use behavioral analytics to identify anomalous traffic patterns.

  4. Implement Automated Incident Response Playbooks

    • Utilize security orchestration, automation, and response (SOAR) platforms such as Trend Micro Vision One or equivalent to automate detection, containment, and remediation workflows.
    • Develop playbooks that include endpoint isolation, IOC blocking, user notification, and forensic data collection.
    • Regularly test and update playbooks to adapt to evolving TTPs.

  5. Enforce Least Privilege Access Controls and Network Segmentation

    • Apply strict access controls to minimize user privileges, especially for accounts in targeted sectors like finance and recruitment.
    • Segment networks to contain potential breaches and limit lateral movement by attackers leveraging Golden Chickens’ modular malware.
    • Regularly audit permissions and network segmentation effectiveness.

  6. Establish Continuous Threat Intelligence Integration and Review

    • Subscribe to reputable threat intelligence feeds that provide timely updates on TTPs, IOCs, and emerging malware variants related to Golden Chickens and affiliated groups.
    • Integrate threat intelligence into security tools for automated blocking and detection.
    • Review and update detection rules, response playbooks, and user training materials regularly based on the latest intelligence.

  7. Participate in Industry Threat Intelligence Sharing Groups

    • Engage with sector-specific Information Sharing and Analysis Centers (ISACs) and cybersecurity communities to share and receive intelligence on Golden Chickens and related threats.
    • Collaborate on best practices, detection techniques, and coordinated response efforts to enhance collective defense.

Suggested Pivots

  1. What are the specific technical characteristics and evasion techniques employed by the newly identified TerraStealerV2 and TerraLogger malware families, and how do these impact current detection and mitigation strategies in enterprise environments?

  2. How does the shared use of Golden Chickens' MaaS platform by groups like FIN6 and Cobalt Group complicate attribution efforts, and what are the implications for identifying and disrupting shared infrastructure and malware code reuse?

  3. How effective are current spearphishing detection mechanisms and user awareness programs against Golden Chickens' social engineering tactics, particularly those involving fake job offers and malicious LNK files targeting recruitment and financial sector personnel, and what improvements can be made?

  4. Which specific AI-driven automation and evasion techniques (e.g., polymorphic malware, automated spearphishing campaigns, adaptive payload delivery) are anticipated in Golden Chickens' future operations, and how should enterprise security architectures evolve to counter these threats?

  5. How can cross-sector threat intelligence sharing and collaborative defense mechanisms be optimized to address the risks posed by Golden Chickens' modular malware and overlapping TTPs with other financially motivated groups, thereby reducing the likelihood and impact of multi-sector attacks?

Forecast

Short-Term Forecast (3-6 months)

  1. Expansion and Active Deployment of TerraStealerV2 and TerraLogger with Enhanced Technical Sophistication

    • TerraStealerV2 and TerraLogger, newly identified malware families from Golden Chickens, will see increased deployment in targeted spearphishing campaigns, particularly against financial, retail, and industrial sectors. TerraStealerV2 focuses on stealing browser credentials, cryptocurrency wallets, and browser extensions, while TerraLogger introduces keylogging capabilities using a WH_KEYBOARD_LL hook. Both malware families are under active development and already employ advanced evasion techniques, such as execution via regsvr32.exe (OCX payloads), XOR string deobfuscation, and exfiltration via Telegram and custom C2 domains.

    • This sophistication complicates detection, requiring enterprises to update EDR rules to detect regsvr32-based OCX execution, obfuscated payloads, and network traffic to Telegram APIs and newly registered domains like wetransfers[.]io.

    • Examples:

      • TerraStealerV2’s current inability to bypass Chrome’s Application Bound Encryption (ABE) suggests ongoing development and potential for future upgrades.
      • TerraLogger’s use of low-level keyboard hooks for keystroke capture is a new capability for Golden Chickens, increasing the risk of credential and sensitive data theft.
      • Delivery via multiple file types (LNK, MSI, DLL, EXE) and use of trusted Windows utilities (regsvr32.exe, mshta.exe) for execution and evasion.

  2. Continued Use and Evolution of Venom Loader and RevC2 in Modular MaaS Campaigns

    • Venom Loader and RevC2 will remain central to Golden Chickens’ MaaS operations, with campaigns leveraging social engineering lures such as cryptocurrency transaction and API documentation-themed bait. Venom Loader’s victim-specific payload encoding (using computer name as XOR key) and DLL side-loading via ApplicationFrameHost.exe demonstrate advanced evasion and persistence techniques. RevC2’s WebSocket-based C2 communication supports remote code execution, cookie and password theft, screenshot capture, and proxying network traffic, enabling multi-faceted espionage and credential theft.

    • Enterprises must monitor for WebSocket C2 traffic on non-standard ports and detect DLL side-loading and obfuscated batch/VBS scripts used in initial infection chains.

    • Examples:

      • RevC2’s command set includes executing shell commands, stealing cookies and passwords, taking screenshots, and proxying traffic, indicating a versatile backdoor.
      • Venom Loader’s persistence via autorun registry keys and multi-stage payload execution using PowerShell and VBS scripts.

  3. Intensified Spearphishing Campaigns Targeting Recruitment and Financial Sector Employees with Malicious LNK Files

    • Golden Chickens will continue to exploit social engineering vectors, particularly fake job offers and resumes delivered via malicious Windows shortcut (LNK) files. These LNK files often contain obfuscated batch or VBScript code that initiates multi-stage payload delivery, including loaders and backdoors. The use of LNK files remains a favored initial access vector due to their ability to bypass some email filters and user suspicion.

    • Security teams should prioritize detection of suspicious LNK execution patterns, including command lines invoking regsvr32.exe or mshta.exe, and conduct targeted phishing awareness training for high-risk roles.

    • Examples:

      • Overlap of LNK file samples with other groups like ClickFix, indicating shared or copied TTPs.
      • Historical success of FIN6 and Cobalt Group using similar LNK-based spearphishing campaigns.

  4. Increased Use of Legitimate Windows Utilities (LOLBins) for Execution, Persistence, and Defense Evasion

    • The use of LOLBins such as regsvr32.exe, mshta.exe, wmic.exe, and ApplicationFrameHost.exe will increase as Golden Chickens and affiliates leverage these trusted binaries to execute malicious payloads, sideload DLLs, and maintain persistence. This complicates detection as these utilities are commonly used in legitimate operations.

    • Behavioral detection and anomaly-based monitoring of these utilities’ usage patterns will be critical to identifying malicious activity.

    • Examples:

      • Venom Loader’s DLL sideloading via ApplicationFrameHost.exe.
      • TerraStealerV2 and TerraLogger execution via regsvr32.exe invoking OCX payloads.

  5. Heightened Network Monitoring for Obfuscated C2 Communications and Newly Registered Domains

    • Network defenders should focus on detecting and blocking C2 communications over HTTP/S and WebSocket protocols, especially those involving obfuscated payloads and newly registered domains such as wetransfers[.]io. The use of Telegram APIs for data exfiltration is a novel vector requiring specialized monitoring.

    • Integration of threat intelligence feeds with updated IOCs and domain reputation data will enhance detection capabilities.

    • Examples:

      • TerraStealerV2 exfiltrating data to Telegram channels and wetransfers[.]io.
      • RevC2’s WebSocket C2 communication on non-standard ports (e.g., 8082).

Long-Term Forecast (12-24 months)

  1. MaaS Platform Evolution to Incorporate Ransomware and Advanced Data Exfiltration Modules

    • Golden Chickens is expected to expand its MaaS offerings to include ransomware deployment capabilities (e.g., TerraCrypt) and more sophisticated data exfiltration modules, increasing the potential impact and monetization of attacks. This evolution aligns with trends observed in other MaaS providers who diversify payloads to maximize revenue and operational flexibility.

    • Enterprises should prepare for multi-stage attacks combining credential theft, ransomware, and data destruction, requiring integrated detection and response strategies.

    • Examples:

      • Endpoint denial of service (T1499) anticipated through ransomware modules.
      • Historical parallels with Emotet’s evolution from banking trojan to ransomware distributor.

  2. Adoption of AI-Driven Automation and Polymorphic Techniques for Attack Delivery and Evasion

    • Golden Chickens and affiliated groups will likely incorporate AI and machine learning to automate spearphishing campaigns, dynamically generate social engineering lures, and polymorph malware payloads to evade signature-based detection. This will increase attack precision and reduce detection rates.

    • Security architectures must evolve to include AI-powered behavioral analytics, anomaly detection, and adaptive response capabilities to counter these advanced threats.

    • Examples:

      • Industry trends toward AI-enhanced phishing and malware obfuscation.
        ,,* Analogous developments in other threat actor toolkits leveraging AI for evasion and targeting.

  3. Increasing Attribution Challenges Due to Shared Infrastructure and Modular Malware Use

    • The continued sharing of malware components, infrastructure, and TTPs among Golden Chickens, FIN6, Cobalt Group, and Evilnum will further complicate attribution efforts. This will hinder law enforcement and cybersecurity teams’ ability to disrupt operations and may lead to misattribution or underestimation of threat actor capabilities.

    • Enhanced collaboration among intelligence communities and use of multi-dimensional attribution techniques will be necessary.

    • Examples:

      • Overlapping use of More_eggs backdoor and TerraLoader infrastructure.
      • Similar attribution challenges faced with TrickBot and Ryuk ransomware ecosystems.

  4. Expansion of Targeting to Critical Infrastructure and Technology Sectors

    • Motivated by higher-value targets and potential geopolitical impact, Golden Chickens and affiliates may expand operations to critical infrastructure sectors (energy, healthcare) and technology companies, leveraging their MaaS platform for espionage, sabotage, and financial theft.

    • This shift will increase the risk of large-scale disruptions and require sector-specific defensive measures.

    • Examples:

      • Early targeting of industrial services and technology sectors noted in campaigns.
      • Parallels with FIN6’s occasional targeting of energy and manufacturing sectors.

  5. Maturation of Cross-Sector Threat Intelligence Sharing and Coordinated Defense Mechanisms

    • In response to the evolving threat landscape, enterprises, governments, and ISACs will enhance cross-sector intelligence sharing and coordinated defense initiatives. Automated SOAR playbooks, shared detection rules, and joint incident response will improve resilience against Golden Chickens’ modular and collaborative attacks.

    • Sustained investment in trust-building and information sharing frameworks will be critical.

    • Examples:

      • Use of automated detection and response playbooks integrating threat intelligence feeds.
      • Lessons from coordinated responses to ransomware outbreaks like WannaCry and NotPetya.

Appendix

References

  1. (2025-05-01) – TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered – Recorded Future
  2. (2024-12-02) – Unveiling RevC2 and Venom Loader – Zscaler ThreatLabz
  3. (2024-10-02) – Fake Job Applications Deliver Dangerous More_eggs Malware to Recruiters – The Hacker News
  4. (2024-09-30) – MDR in Action: Preventing The More_eggs Backdoor From Hatching – Trend Micro
  5. (2024-08-16) – STEAL ‘EM EGGS: GOLDEN CHICKEN HATCHES MORE_EGGS BACKDOOR – Security Blue Team
  6. (2023-01-30) – Threat Actor Behind Golden Chicken Malware Service Exposed – Heimdal Security

AlphaHunt

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

  1. what do you know about venom spider (golden chickens)?
  2. What are the known affiliations or overlaps between Golden Chickens and other financially motivated threat groups like FIN6 and Cobalt Group in terms of shared infrastructure or malware?
  3. What are the unique TTPs Golden Chickens employs that differentiate it from other MaaS providers, and how can these be leveraged for attribution and defense?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2025 CSIRT Gadgets, LLC
License - CC BY-SA 4.0

Read more