A financially motivated hacking group called Venom Spider has launched a new phishing campaign against corporate human resources (HR) departments, according to Arctic Wolf Labs. By disguising malware as job application materials, the group is using a sophisticated but deceptive backdoor called More_eggs to get into systems.
This is a new tactic for the group. Instead of focusing on industries like e-commerce and entertainment as they have in the past, Venom Spider is now targeting a universal corporate function: hiring. Any company with a job opening and a recruitment process is now a target.
Using fake resumes as a delivery mechanism
The attack starts with a spear-phishing email, looking like a job application. These are sent directly to recruiters or HR managers and contain links to download resumes, which lead to attacker-controlled websites. These sites prompt the user to complete a CAPTCHA challenge, bypassing automated threat detection tools.
Once past this step, the victim downloads a ZIP file believed to be a resume. Inside are seemingly harmless files, including an image and a shortcut file (.lnk). When the shortcut is opened, it quietly runs a malicious script that downloads More_eggs malware and launches WordPad to make it look like it’s opening a document.
Arctic Wolf Labs found that this shortcut file is generated uniquely for each download using server-side polymorphism. This means the code changes every time, making it hard for security tools to detect or block.
How the More_eggs malware gains control
The heart of the campaign is the More_eggs malware, a backdoor. Arctic Wolf researchers found this latest version has a component they call the More_eggs_Dropper. This dropper is an executable that creates and runs several files using JavaScript code, all of which are heavily obfuscated to avoid detection.
One feature is how More_eggs encrypts its payloads. The malware generates unique decryption keys based on information from the target device, including the computer name and processor details. This makes it impossible for analysts or automated tools to study the malware unless they have the exact infected machine.
Once installed, More_eggs sends system info back to a command server and waits for instructions. These can include downloading more malware, running commands, or wiping itself clean to avoid detection.
What HR and security teams must do
Because of the social engineering tactics used, especially targeting HR staff who open emails from unknown sources, experts say awareness and training is key. HR should be trained to spot unusual attachment types like .lnk or .iso files and inspect files before opening them.
Organizations should also implement protective technologies like secure email gateways, endpoint detection systems, and phishing report mechanisms. Phishing simulations and internal security drills can help reinforce good cyber habits.
Blocking known command-and-control servers and updating detection rules for More_eggs components is also effective. Arctic Wolf has already added new detection capabilities to its platform to help protect its customers from this threat.
Stay alert during recruitment process
This campaign shows how attackers are adapting by targeting everyday business functions. By turning something as mundane as a job application into a weapon, Venom Spider is spreading across industries. According to Arctic Wolf Labs, the best defense is a combination of employee awareness, updated tools, and proactive threat monitoring.
