{
  "name": "Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims",
  "slug": "venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims",
  "description": "Arctic Wolf Labs discovered a new campaign by Venom Spider targeting corporate HR departments with fake resumes containing the More_eggs backdoor. The financially motivated threat group uses spear-phishing emails and abuses legitimate job platforms to apply for real jobs. The backdoor can steal credentials, customer data, and intellectual property. Several upgrades were found, including server-side polymorphism and evasion techniques. The attack chain involves obfuscated JavaScript, LNK files, and a dropper that generates polymorphic code. Organizations are advised to train employees on phishing awareness, especially those in HR who regularly open attachments from unknown senders.",
  "published": "2025-05-03T01:04:29+00:00",
  "created_at": "2025-05-03T01:04:29+00:00",
  "modified_at": "2025-05-05T16:09:03+00:00",
  "created_at_opencti": "2025-05-03T01:04:29+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-03",
    "backdoor",
    "evasion",
    "javascript",
    "lnk files",
    "more_eggs",
    "polymorphism",
    "spear-phishing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "d68d0668ee588e9229e7c1eb20da20b7b04e15c3"
      },
      {
        "id": "",
        "name": "376c809afd6aad06121e199e70477ad9ebaf0795"
      },
      {
        "id": "",
        "name": "f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016"
      }
    ],
    "malware": [
      {
        "id": "819de08e-90ff-4114-b86e-6bc32942a4a3",
        "name": "More_eggs - S0284",
        "slug": "more_eggs-s0284"
      }
    ],
    "intrusion_sets": [
      {
        "id": "bed13787-30c2-48cf-9e23-059682013ce3",
        "name": "Venom Spider",
        "slug": "venom-spider"
      }
    ],
    "attack_patterns": [
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Pharmacy"
      },
      {
        "id": "",
        "name": "Retail"
      },
      {
        "id": "",
        "name": "Entertainment"
      }
    ]
  },
  "external_refs": [
    "https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims",
    "https://otx.alienvault.com/pulse/681587bd6ded7af256a18a26"
  ]
}