More_eggs MaaS Expands Operations with RevC2 Backdoor and Venom Loader

The threat actors behind the More_eggs malware have been linked to two new malware families, indicating an expansion of its malware-as-a-service (MaaS) operation.

This includes a novel information-stealing backdoor called RevC2 and a loader codenamed Venom Loader, both of which are deployed using VenomLNK, a staple tool that serves as an initial access vector for the deployment of follow-on payloads.

“RevC2 uses WebSockets to communicate with its command-and-control (C2) server. The malware is capable of stealing cookies and passwords, proxies network traffic, and enables remote code execution (RCE),” Zscaler ThreatLabz researcher Muhammed Irfan V A said.

“Venom Loader is a new malware loader that is customized for each victim, using the victim’s computer name to encode the payload.”

Both the malware families have been distributed as part of campaigns observed by the cybersecurity company between August and October 2024. The threat actor behind the e-crime offerings is tracked as Venom Spider (aka Golden Chickens).

The exact distribution mechanism is currently not known, but the starting point of one of the campaigns is VenomLNK, which, besides displaying a PNG decoy image, executes RevC2. The backdoor is equipped to steal passwords and cookies from Chromium browsers, execute shell commands, take screenshots, proxy traffic using SOCKS5, and run commands as a different user.

The second campaign also begins with VenomLNK to deliver a lure image, while also stealthily executing Venom Loader. The loader is responsible for launching More_eggs lite, a lightweight variant of the JavaScript backdoor that only provides RCE capabilities.

The new findings are a sign that the malware authors are continuing to refresh and refine their custom toolset with new malicious programs despite the fact that two individuals from Canada and Romania were outed last year as running the MaaS platform.

The disclosure comes as ANY.RUN detailed a previously undocumented fileless loader malware dubbed PSLoramyra, which has been used to deliver the open-source Quasar RAT malware.

“This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access,” it said.

Source

Leave a Comment Cancel Reply

London, GB

3:58 am, Jul 11, 2025

18°C

L: 17° | H: 19°

Feels like 18°C° scattered clouds

Humidity: 79 %

Pressure: 1021 mb

Wind: 6 mph E

Wind Gust: 0 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 45%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 4:56 am

Sunset: 9:15 pm

DailyHourly

Daily ForecastHourly Forecast

Today 10:00 pm

17° | 19°°C 0 mm 0% 8 mph 79 % 1021 mb 0 mm/h

Tomorrow 10:00 pm

19° | 30°°C 0 mm 0% 10 mph 66 % 1019 mb 0 mm/h

Sun Jul 13 10:00 pm

18° | 30°°C 0 mm 0% 7 mph 71 % 1015 mb 0 mm/h

Mon Jul 14 10:00 pm

18° | 28°°C 1 mm 100% 15 mph 84 % 1016 mb 0 mm/h

Tue Jul 15 10:00 pm

14° | 20°°C 1 mm 100% 14 mph 81 % 1017 mb 0 mm/h

Today 4:00 am

16° | 18°°C 0 mm 0% 3 mph 79 % 1021 mb 0 mm/h

Today 7:00 am

18° | 19°°C 0 mm 0% 2 mph 75 % 1021 mb 0 mm/h

Today 10:00 am

24° | 27°°C 0 mm 0% 2 mph 57 % 1021 mb 0 mm/h

Today 1:00 pm

30° | 30°°C 0 mm 0% 3 mph 32 % 1020 mb 0 mm/h

Today 4:00 pm

32° | 32°°C 0 mm 0% 4 mph 26 % 1018 mb 0 mm/h

Today 7:00 pm

30° | 30°°C 0 mm 0% 6 mph 29 % 1017 mb 0 mm/h

Today 10:00 pm

23° | 23°°C 0 mm 0% 8 mph 49 % 1019 mb 0 mm/h

Tomorrow 1:00 am

21° | 21°°C 0 mm 0% 5 mph 57 % 1019 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€99,548.70	4.71%
Ethereum(ETH)	€2,531.28	6.50%
Tether(USDT)	€0.85	-0.02%
XRP(XRP)	€2.20	6.50%
Solana(SOL)	€141.00	4.20%
USDC(USDC)	€0.85	-0.01%
Dogecoin(DOGE)	€0.169176	9.42%
Shiba Inu(SHIB)	€0.000012	9.17%
Pepe(PEPE)	€0.000011	15.00%
Peanut the Squirrel(PNUT)	€0.247974	22.95%

More_eggs MaaS Expands Operations with RevC2 Backdoor and Venom Loader

Share:

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us