In a newly released analysis, Arctic Wolf Labs has documented a sophisticated phishing campaign orchestrated by the financially motivated threat actor Venom Spider (TA4557). This latest wave of attacks exploits a near-universal vulnerability across industries: the hiring process. By crafting malicious payloads disguised as resumes and delivered through job applications, the group spreads its infamous More_eggs backdoor with new levels of stealth and obfuscation.

“Venom Spider continues to use job seekers as a lure targeting HR departments and corporate recruiters in its phishing campaigns,” Arctic Wolf explains.

This campaign marks a tactical escalation. Instead of focusing solely on e-commerce and payment-heavy sectors, the attackers are now targeting corporate HR departments and recruiters—individuals who routinely open attachments from unknown senders.

“The recruiters and hiring managers who work in HR departments are often considered to be the weak point… as the very nature of their job means that they must regularly open email attachments,” the report warns.

The attack begins with a spear-phishing email claiming to be a job seeker’s application. Victims are directed to an actor-controlled site (e.g., ryanberardi[.]com) containing a CAPTCHA prompt—a clever step to defeat automated scanners. Once passed, the victim downloads a ZIP file with:

• A decoy image (g.jpg)
• A malicious .lnk file disguised as a resume

Each .lnk file is generated polymorphically, meaning the malware’s code structure and size differ with each download.

When opened, the shortcut launches WordPad as a distraction while executing a hidden obfuscated batch script, which in turn leverages a Living-Off-the-Land Binary (LOLBIN): ie4uinit.exe. This Windows utility executes a malicious script stored in %temp%\ieuinit.inf, initiating the next stage of infection.

“This is a living-off-the-land (LOTL) technique… to use a legitimate application… to execute commands and run JavaScript code,” the report explains.

The batch script triggers a JavaScript payload from hxxp://doefstf[.]ryanberardi[.]com/ikskck, which drops a DLL—named More_eggs_Dropper—into the victim’s %AppData% directory. Registered with regsvr32, this library:

• Generates polymorphic JavaScript
• Delays execution to evade sandboxing
• Uses RC4-like encryption and brute-force decryption keys
• Stores components like msxsl.exe to run embedded XML/JS

The payload employs a dual-layer encryption scheme, using hard-coded keys combined with system-specific details such as:

• Computer name
• Processor identifier
• This renders sandbox analysis ineffective.

“It is impossible to obtain the final stage of More_eggs without having encryption keys that are specifically generated for the devices being targeted,” the report writes.

Once active, the backdoor contacts its C2 server at tool[.]municipiodechepo[.]org and supports multiple commands:

• d&exec – Download and execute a PE file
• gtfo – Self-removal
• via_c – Run commands via cmd.exe
• more_time – Exfiltrate results
• more_onion – Run additional JS via msxsl.exe

Venom Spider’s infrastructure spans Amazon-hosted domains and GoDaddy-based C2 servers. Domains like ryanberardi[.]com and municipiodechepo[.]org are cloaked behind “Domains by Proxy, LLC”, using nested subdomains and redirections to bypass scanners.

HR departments must now be treated as frontline cybersecurity stakeholders—not just administrative support.

Related Posts:

• RevC2 and Venom Loader Exploit MaaS in Advanced Campaigns
• eSentire Exposes Ongoing More_eggs Malware Campaign Targeting Job Seekers
• Cybercriminals Exploit Job Search with More_eggs Backdoor in Resume Scam
• Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces