More_eggs MaaS Expands Operations with RevC2 Backdoor and Venom Loader

The threat actors behind the More_eggs malware have been linked to two new malware families, indicating an expansion of its malware-as-a-service (MaaS) operation.

This includes a novel information-stealing backdoor called RevC2 and a loader codenamed Venom Loader, both of which are deployed using VenomLNK, a staple tool that serves as an initial access vector for the deployment of follow-on payloads.

“RevC2 uses WebSockets to communicate with its command-and-control (C2) server. The malware is capable of stealing cookies and passwords, proxies network traffic, and enables remote code execution (RCE),” Zscaler ThreatLabz researcher Muhammed Irfan V A said.

“Venom Loader is a new malware loader that is customized for each victim, using the victim’s computer name to encode the payload.”

Both the malware families have been distributed as part of campaigns observed by the cybersecurity company between August and October 2024. The threat actor behind the e-crime offerings is tracked as Venom Spider (aka Golden Chickens).

The exact distribution mechanism is currently not known, but the starting point of one of the campaigns is VenomLNK, which, besides displaying a PNG decoy image, executes RevC2. The backdoor is equipped to steal passwords and cookies from Chromium browsers, execute shell commands, take screenshots, proxy traffic using SOCKS5, and run commands as a different user.

The second campaign also begins with VenomLNK to deliver a lure image, while also stealthily executing Venom Loader. The loader is responsible for launching More_eggs lite, a lightweight variant of the JavaScript backdoor that only provides RCE capabilities.

The new findings are a sign that the malware authors are continuing to refresh and refine their custom toolset with new malicious programs despite the fact that two individuals from Canada and Romania were outed last year as running the MaaS platform.

The disclosure comes as ANY.RUN detailed a previously undocumented fileless loader malware dubbed PSLoramyra, which has been used to deliver the open-source Quasar RAT malware.

“This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access,” it said.

Source

Leave a Comment Cancel Reply

London, GB

5:31 am, Apr 22, 2025

7°C

L: 5° | H: 8°

Feels like 7°C° overcast clouds

Humidity: 90 %

Pressure: 1015 mb

Wind: 2 mph NW

Wind Gust: 3 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 96%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 5:49 am

Sunset: 8:07 pm

DailyHourly

Daily ForecastHourly Forecast

Today 10:00 pm

5° | 8°°C 0 mm 0% 10 mph 91 % 1017 mb 0 mm/h

Tomorrow 10:00 pm

8° | 10°°C 1 mm 100% 13 mph 94 % 1018 mb 0 mm/h

Thu Apr 24 10:00 pm

8° | 13°°C 0 mm 0% 4 mph 88 % 1022 mb 0 mm/h

Fri Apr 25 10:00 pm

10° | 17°°C 0 mm 0% 8 mph 90 % 1021 mb 0 mm/h

Sat Apr 26 10:00 pm

10° | 17°°C 1 mm 100% 14 mph 94 % 1021 mb 0 mm/h

Today 7:00 am

7° | 7°°C 0 mm 0% 4 mph 91 % 1016 mb 0 mm/h

Today 10:00 am

8° | 12°°C 0 mm 0% 7 mph 85 % 1016 mb 0 mm/h

Today 1:00 pm

13° | 16°°C 0 mm 0% 8 mph 58 % 1017 mb 0 mm/h

Today 4:00 pm

16° | 16°°C 0 mm 0% 10 mph 44 % 1016 mb 0 mm/h

Today 7:00 pm

13° | 13°°C 0 mm 0% 10 mph 59 % 1016 mb 0 mm/h

Today 10:00 pm

10° | 10°°C 0 mm 0% 7 mph 77 % 1016 mb 0 mm/h

Tomorrow 1:00 am

10° | 10°°C 0 mm 0% 7 mph 79 % 1014 mb 0 mm/h

Tomorrow 4:00 am

9° | 9°°C 1 mm 100% 11 mph 94 % 1011 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€76,608.66	1.30%
Ethereum(ETH)	€1,374.76	-3.08%
Tether(USDT)	€0.87	0.00%
XRP(XRP)	€1.81	-1.18%
Solana(SOL)	€120.72	-0.43%
USDC(USDC)	€0.87	0.00%
Dogecoin(DOGE)	€0.139878	0.76%
Shiba Inu(SHIB)	€0.000010	-1.70%
Pepe(PEPE)	€0.000007	2.81%

More_eggs MaaS Expands Operations with RevC2 Backdoor and Venom Loader

Share:

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us