Venom Spider, Golden Chickens

Description

(Proofpoint) Since the middle of 2018, Proofpoint has been tracking campaigns abusing legitimate messaging services, offering fake jobs, and repeatedly following up via email to ultimately deliver the More_eggs backdoor. These campaigns primarily targeted US companies in various industries including retail, entertainment, pharmacy, and others that commonly employ online payments, such as online shopping portals.

The actor sending these campaigns attempts to establish rapport with potential victims by abusing LinkedIn’s direct messaging service. In direct follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor supports the campaigns with fake websites that impersonate legitimate staffing companies. These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs.

Taurus Loader has been observed to distribute GandCrab and Sodinokibi (Pinchy Spider, Gold Southfield) and Trickbot (Wizard Spider, Gold Blackburn), as well as their own tool More_eggs.

Names

Name	Name-Giver
Venom Spider	CrowdStrike
Golden Chickens	QuoINT
TA4557	Arctic Wolf

Country

• Russia

Motivation

• Financial gain

First Seen

2017

Observed Sectors

• Entertainment
• Financial
• Pharmaceutical
• Retail

Observed Countries

• USA

Tools

• lite_more_eggs
• More_eggs
• Taurus Loader
• TerraCrypt
• TerraLogger
• TerraPreter
• TerraRecon
• TerraStealer
• TerraTV
• TerraWiper
• ThreatKit
• VenomKit
• VenomLNK

Operations

• 2019-02: Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/
• 2023-10: Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/
• 2025-01: TerraStealerV2 and TerraLogger: Golden Chickens’ New Malware Families Discovered https://go.recordedfuture.com/hubfs/reports/cta-2025-0501.pdf

Information

• https://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/
• https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648
• https://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/
• https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers
• https://www.esentire.com/web-native-pages/unmasking-venom-spider
• https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2

Other Information

Uuid

b7504991-61c8-41dc-9a22-664ece91c20f

Last Card Change

2025-06-27