![More_eggs Cybercrime Group Unleashes New Stealthy Backdoor and Loader in Advanced MaaS Campaign](https://mlkmisyfyt7n.i.optimole.com/cb:QnOd.1c245/w:auto/h:auto/q:mauto/ig:avif/https://clickcontrol.com/wp-content/uploads/2024/12/article_184_1733511895.jpg)
Security researchers have discovered that the operators of More_eggs malware have developed two new malware families, expanding their malware-as-a-service (MaaS) operations. Zscaler ThreatLabz has identified RevC2, an information-stealing backdoor, and Venom Loader, a customized loader malware, both deployed through the VenomLNK initial access tool.
RevC2’s capabilities include:
– WebSocket-based C2 communication
– Cookie and password theft from Chromium browsers
– Network traffic proxying
– Remote code execution
– Screenshot capture
– Shell command execution
Venom Loader features unique victim-specific customization, using computer names for payload encoding. Both malware families were actively deployed between August and October 2024.
The attack chain typically begins with VenomLNK, which displays a decoy PNG image while secretly executing either RevC2 or Venom Loader. In the latter case, the loader deploys More_eggs lite, a streamlined version of the JavaScript backdoor focused on remote code execution.
This development demonstrates Venom Spider’s continued evolution of their toolset, despite the exposure of two key operators from Canada and Romania in the previous year. Concurrent to this discovery, researchers identified PSLoramyra, a new fileless loader targeting systems with Quasar RAT malware through PowerShell, VBS, and BAT scripts.