Hackers target LinkedIn users with fake job offers to spread malware
The Golden Chicken group is selling the More_Eggs backdoor to other groups as a malware as a service (MaaS) model


The Golden Chicken hacking group is targeting LinkedIn users with fake job offers to infect them with a sophisticated malware strain that can allow them to take control of victims’ computers.
These hackers spread the More_Eggs malware by spear phishing victims with a malicious .ZIP file using the victim's job as listed on LinkedIn, according to the security firm eSentire.
These files are titled to mirror the exact job title. For example, a user listing ‘Senior Account Executive International Freight’ as their job will be sent a malicious .ZIP file titled ‘Senior Account Executive - International Freight position’.
Once opened, victims initiate the stealthy installation of the More_eggs backdoor that can download additional malicious plugins and provide remote access to their device.
Golden Chicken sell the backdoor under a malware as a service (MaaS) arrangement to other cyber criminals, made possible by More_Eggs’ tendency to maintain a stealthy profile by abusing legitimate Windows processes.
Researchers with eSentire disrupted an active spear phishing incident in which a health tech professional downloaded and executed a malicious .ZIP file.
RELATED RESOURCE
The researchers saw the victim unwittingly activate VenomLNK, an initial stage of More_Eggs that abused Windows Management Instrumentation to enable the plugin loader, TerraLoader. This, in turn, hijacks the cmstp and regsvr32 processes.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
While TerraLoader is being initiated, a decoy Word document is presented to the victim to impersonate a job application but serves no functional purpose in the infection. This is simply a decoy that distracts the user from the background tasks of More_Eggs.
TerraLoader then installs msxsl in the user’s roaming profile and loads the payload, before signalling to a command and control (C&C) server through the copy of msxsl. This beacon then communicates that the More_Eggs backdoor is ready for Golden Chicken’s customer to log in and begin carrying out their goal.
Possibilities, depending on the group that More_Eggs is sold to on the MaaS model, include infecting with additional malware strains, such as ransomware, or getting a foothold into the victim’s network to exfiltrate data.
The eSentire researchers have so far been unable to determine what the ultimate purposes of this campaign might be, although it mirrors a similar campaign reported in February 2019 which also involved the More_Eggs backdoor.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
The race is on for Higher Ed to adapt: Equity in hyflex learning
Hyflex courses can improve student wellbeing and engagement, but only with meeting technology that leaves no one behind
-
Gen Z workers are keen on AI in the workplace – but they’re still skeptical about the hype
News Younger workers could lead the shift to AI, but only think it can can manage some tasks