Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

May 5, 2025, 6:09 p.m.

Description

Arctic Wolf Labs discovered a new campaign by Venom Spider targeting corporate HR departments with fake resumes containing the More_eggs backdoor. The financially motivated threat group uses spear-phishing emails and abuses legitimate job platforms to apply for real jobs. The backdoor can steal credentials, customer data, and intellectual property. Several upgrades were found, including server-side polymorphism and evasion techniques. The attack chain involves obfuscated JavaScript, LNK files, and a dropper that generates polymorphic code. Organizations are advised to train employees on phishing awareness, especially those in HR who regularly open attachments from unknown senders.

External References

https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims
https://otx.alienvault.com/pulse/681587bd6ded7af256a18a26
Tags
backdoor
evasion
javascript
spear-phishing
more_eggs
lnk files
2025-05-03
polymorphism

Date

  • Created: May 3, 2025, 3:04 a.m.
  • Published: May 3, 2025, 3:04 a.m.
  • Modified: May 5, 2025, 6:09 p.m.

Indicators

  • d68d0668ee588e9229e7c1eb20da20b7b04e15c3
  • 376c809afd6aad06121e199e70477ad9ebaf0795
  • f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016
Download all indicators here!

Attack Patterns

  • More_eggs - S0284
  • Venom Spider

Additional Informations

  • Pharmacy
  • Retail
  • Entertainment
  • United States of America