More_eggs
More_eggs is a JavaScript/JScript-based backdoor and downloader malware family, also referred to as SKID, SpicyOmelette, and Terra Loader/Terra_Loader in the provided reporting. It is closely associated with the Golden Chickens malware-as-a-service ecosystem and has been linked in the content to threat actors including TA4557, FIN6, Cobalt Group, Evilnum, GOLD KINGSWOOD, and Venom Spider/Golden Chickens. Reported targeting includes U.S. companies, FinTech organizations in the UK and EU, recruiters and hiring personnel, anti-money laundering officers at financial institutions, and environments involving online payments and ATM networks.
The malware is delivered primarily through social-engineering campaigns. Observed infection vectors include fake job and recruiter-themed lures sent via LinkedIn messaging, follow-up emails, malicious resumes, ZIP archives containing LNK files, password-protected Word documents with macros, PDFs containing malicious URLs, spoofed staffing-company or resume websites, CAPTCHA-gated downloads, and intermediate JScript loaders. In one reported chain, an LNK file abused ie4uinit.exe to download and execute a scriptlet, which decrypted and dropped a DLL into %APPDATA%\Microsoft; that DLL used anti-sandbox and anti-analysis techniques, performed anti-debugging checks via NtQueryInformationProcess, retrieved an RC4 key to decrypt the More_Eggs backdoor, dropped More_Eggs together with MSXSL, attempted execution via WMI/regsvr32 or an ActiveX Run method, and created an MSXSL process before deleting itself.
Capabilities directly described in the content include establishing persistence, profiling the infected machine, gathering the username from the victim host, harvesting sensitive information, credential theft, downloading or dropping additional payloads, and carrying out additional tasks after initial compromise. The malware has been described as capable of creating a reverse shell, and as using signed binary shellcode loaders and signed DLLs in some cases. More_eggs also uses HTTP GET requests to check internet connectivity, regsvr32.exe to execute a malicious DLL, and basE91 encoding together with encryption for command-and-control communications. SpicyOmelette-specific functionality mentioned in the content includes executing arbitrary JavaScript on a compromised host and identifying payment systems, payment gateways, and ATM systems in victim environments.
High-confidence indicators explicitly provided in the content include the domains wlynch.com and annetterawlings.com, and the SHA-256 hashes 9d9b38dffe43b038ce41f0c48def56e92dba3a693e3b572dbd13d5fbc9abc1e4, 6ea619f5c33c6852d6ed11c52b52589b16ed222046d7f847ea09812c4d51916d, and 010b72def59f45662150e08bb80227fe8df07681dcf1a8d6de8b068ee11e0076.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
VenomKit We use this name to describe documents generated by a builder purchased from the same seller as Taurus builder. Depending on the variant it may exploit CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2017-11882, CVE-2018-0802, and/or CVE-2018-8174.
VenomKit We use this name to describe documents generated by a builder purchased from the same seller as Taurus builder. Depending on the variant it may exploit CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2017-11882, CVE-2018-0802, and/or CVE-2018-8174.
VenomKit We use this name to describe documents generated by a builder purchased from the same seller as Taurus builder. Depending on the variant it may exploit CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2017-11882, CVE-2018-0802, and/or CVE-2018-8174.
VenomKit We use this name to describe documents generated by a builder purchased from the same seller as Taurus builder. Depending on the variant it may exploit CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2017-11882, CVE-2018-0802, and/or CVE-2018-8174.
VenomKit We use this name to describe documents generated by a builder purchased from the same seller as Taurus builder. Depending on the variant it may exploit CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2017-11882, CVE-2018-0802, and/or CVE-2018-8174.
VenomKit We use this name to describe documents generated by a builder purchased from the same seller as Taurus builder. Depending on the variant it may exploit CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2017-11882, CVE-2018-0802, and/or CVE-2018-8174.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Among the tools used by the Evilnum group are More_eggs, TerraPreter, TerraStealer, and TerraTV.
The DLL employs anti-sandbox and anti-analysis techniques. It incorporates a loop specifically designed to retrieve the RC4 key necessary for deciphering the More_Eggs backdoor... The DLL drops the More_Eggs backdoor along with the MSXSL executable... More_Eggs can be used to establish persistence, profile the machine, and drop additional payloads.
The DLL employs anti-sandbox and anti-analysis techniques. It incorporates a loop specifically designed to retrieve the RC4 key necessary for deciphering the More_Eggs backdoor... The DLL drops the More_Eggs backdoor along with the MSXSL executable... More_Eggs can be used to establish persistence, profile the machine, and drop additional payloads.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
5 techniques
Initial Access
The URLs link to a landing page that spoofs a real talent and staffing management company... The landing page initiates a download of a Microsoft Word file.
These campaigns demonstrated considerable variability... Completely benign emails without a malicious attachment or URL attempting to further establish rapport.
In other cases, this actor used an attached PDF with embedded URLs or other malicious attachments... some campaigns also used malicious attachments instead of URLs in the email.
Execution
6 techniques
Execution
it attempts to create a new regsrv32 process to execute the DLL using Windows Management Instrumentation (WMI) ... Subsequently, it initiates the creation of the MSXSL process using the WMI service.
download and execute a scriptlet from a location stored in the "ie4uinit.inf" file
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Figure 4: Example malicious Microsoft Word document that uses macros to download More_eggs.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
8 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
The LNK, if executed, abuses legitimate software functions in "ie4uinit.exe" to download and execute a scriptlet
it attempts to create a new regsrv32 process to execute the DLL using Windows Management Instrumentation (WMI)
The DLL employs anti-sandbox and anti-analysis techniques. It incorporates a loop specifically designed to retrieve the RC4 key necessary for deciphering the More_Eggs backdoor. This loop is strategically crafted to extend its execution time, enhancing its evasion capabilities within a sandbox environment.
Defense Impairment
1 technique
Defense Impairment
The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
Discovery
8 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
More_eggs periodically connects to a neutral website to determine whether the compromised system is connected to the internet or not.
During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
In addition to its ability to download additional payloads, More_eggs has extensive capabilities to profile the infected machine.
The DLL employs anti-sandbox and anti-analysis techniques. It incorporates a loop specifically designed to retrieve the RC4 key necessary for deciphering the More_Eggs backdoor. This loop is strategically crafted to extend its execution time, enhancing its evasion capabilities within a sandbox environment.
Collection
1 technique
Collection
Command and Control
3 techniques
Command and Control
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
IOCs tracked for this family
68 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
58 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor used in social-media spearphishing campaigns, delivered via malicious resumes/ZIPs to provide remote access/control of victim systems.
A malware suite observed using obfuscated batch/command content in .lnk-based execution chains; shown using variable substitution to construct C2 URLs and commands.
"...including the Kaseya MSP breach and the more_eggs malware."
JavaScript-based backdoor that executes primarily in memory and supports credential theft and remote command execution; described as potentially being used to deliver ransomware. Uses Windows LOLBins (e.g., wscript.exe, regsvr32.exe, msxsl.exe) for stealth and establishes persistence via registry keys and scheduled tasks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.