Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery
Essential information
- Published
- 11/06/2025 09:28
- Modified
- 11/06/2025 10:21
- Tags
- 2025-06-11 aws backdoor cloud infrastructure evasion techniques more_eggs phishing resume lures skeleton spider social engineering
- Related entities
- 24 observables, 1 intrusion sets (apt), 23 techniques (mitre), 4 malware
Description
Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has evolved from POS breaches to broader enterprise threats. They employ social engineering tactics, posing as job seekers on platforms like LinkedIn to deliver phishing messages. Their preferred payload is more_eggs, a JavaScript-based backdoor. The group uses trusted cloud services like AWS to host malicious infrastructure, evading detection. Their phishing emails impersonate job applicants, with domains mimicking real names. FIN6 employs sophisticated filtering techniques to ensure malware delivery only to intended targets. The more_eggs malware, developed by Venom Spider, allows for command execution and credential theft. Defense strategies include cautious handling of resume links, blocking execution of suspicious files, and implementing EDR policies.