More_eggs MaaS Expands Operations with RevC2 Backdoor and Venom Loader

The threat actors behind the More_eggs malware have been linked to two new malware families, indicating an expansion of its malware-as-a-service (MaaS) operation.

This includes a novel information-stealing backdoor called RevC2 and a loader codenamed Venom Loader, both of which are deployed using VenomLNK, a staple tool that serves as an initial access vector for the deployment of follow-on payloads.

“RevC2 uses WebSockets to communicate with its command-and-control (C2) server. The malware is capable of stealing cookies and passwords, proxies network traffic, and enables remote code execution (RCE),” Zscaler ThreatLabz researcher Muhammed Irfan V A said.

“Venom Loader is a new malware loader that is customized for each victim, using the victim’s computer name to encode the payload.”

Both the malware families have been distributed as part of campaigns observed by the cybersecurity company between August and October 2024. The threat actor behind the e-crime offerings is tracked as Venom Spider (aka Golden Chickens).

The exact distribution mechanism is currently not known, but the starting point of one of the campaigns is VenomLNK, which, besides displaying a PNG decoy image, executes RevC2. The backdoor is equipped to steal passwords and cookies from Chromium browsers, execute shell commands, take screenshots, proxy traffic using SOCKS5, and run commands as a different user.

The second campaign also begins with VenomLNK to deliver a lure image, while also stealthily executing Venom Loader. The loader is responsible for launching More_eggs lite, a lightweight variant of the JavaScript backdoor that only provides RCE capabilities.

The new findings are a sign that the malware authors are continuing to refresh and refine their custom toolset with new malicious programs despite the fact that two individuals from Canada and Romania were outed last year as running the MaaS platform.

The disclosure comes as ANY.RUN detailed a previously undocumented fileless loader malware dubbed PSLoramyra, which has been used to deliver the open-source Quasar RAT malware.

“This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access,” it said.

Source

Leave a Comment Cancel Reply

London, GB

9:22 am, Jun 15, 2025

18°C

L: 17° | H: 19°

Feels like 18°C° broken clouds

Humidity: 72 %

Pressure: 1021 mb

Wind: 11 mph WSW

Wind Gust: 0 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 75%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 4:42 am

Sunset: 9:19 pm

DailyHourly

Daily ForecastHourly Forecast

Today 10:00 pm

17° | 19°°C 0 mm 0% 12 mph 74 % 1025 mb 0 mm/h

Tomorrow 10:00 pm

14° | 25°°C 0 mm 0% 9 mph 85 % 1028 mb 0 mm/h

Tue Jun 17 10:00 pm

16° | 26°°C 0 mm 0% 10 mph 83 % 1027 mb 0 mm/h

Wed Jun 18 10:00 pm

15° | 27°°C 0 mm 0% 7 mph 76 % 1026 mb 0 mm/h

Thu Jun 19 10:00 pm

17° | 28°°C 0 mm 0% 10 mph 76 % 1027 mb 0 mm/h

Today 10:00 am

18° | 19°°C 0 mm 0% 9 mph 72 % 1021 mb 0 mm/h

Today 1:00 pm

19° | 22°°C 0 mm 0% 9 mph 66 % 1021 mb 0 mm/h

Today 4:00 pm

22° | 24°°C 0 mm 0% 11 mph 50 % 1022 mb 0 mm/h

Today 7:00 pm

21° | 21°°C 0 mm 0% 12 mph 54 % 1023 mb 0 mm/h

Today 10:00 pm

17° | 17°°C 0 mm 0% 8 mph 74 % 1025 mb 0 mm/h

Tomorrow 1:00 am

15° | 15°°C 0 mm 0% 5 mph 84 % 1027 mb 0 mm/h

Tomorrow 4:00 am

14° | 14°°C 0 mm 0% 3 mph 85 % 1027 mb 0 mm/h

Tomorrow 7:00 am

16° | 16°°C 0 mm 0% 3 mph 76 % 1028 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€91,222.09	0.39%
Ethereum(ETH)	€2,187.31	-0.14%
Tether(USDT)	€0.87	-0.01%
XRP(XRP)	€1.86	-0.63%
Solana(SOL)	€126.18	0.11%
USDC(USDC)	€0.87	0.00%
Dogecoin(DOGE)	€0.151690	-0.59%
Shiba Inu(SHIB)	€0.000010	-0.96%
Pepe(PEPE)	€0.000010	0.10%

More_eggs MaaS Expands Operations with RevC2 Backdoor and Venom Loader

Share:

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us