Golden Chickens, a group of cybercriminals, has been recently discovered using spear-phishing attacks aimed at business professionals on LinkedIn, with fake job offers. In their attack, crooks deliver the fileless backdoor called more_eggs. The campaign was discovered by researchers at eSentire, who warned enterprises and individuals.

What has happened?

According to eSentire’s research team, cybercriminals are using spear-phishing emails with a malicious zip file that uses the exact name as a job position listed on the targeted professional’s LinkedIn profile.
  • Upon opening the fake job offer, the victim without knowing initiates the stealthy installation of the more_eggs backdoor. It then fetches additional malware and provides access to the targeted system.
  • The backdoor abuses Windows processes to avoid antivirus protections.
  • In addition, it exploits job hunters’ desperation to find employment in the middle of a global pandemic.
  • Golden Chickens group is offering more_eggs as malware-as-a-service to other cybercriminals. These criminals use it to gain access to target systems to spread other malware.

The more_eggs connection

FIN6 used the more_eggs backdoor to target multiple e-commerce businesses back in 2019. At the same time, it attacked retail, pharmaceutical, and entertainment companies’ online payment systems.
  • Evilnum attacks financial tech companies to steal spreadsheets and trading credentials using more_eggs backdoor.
  • Another group, dubbed Cobalt Group, is known to be using more_eggs backdoor to attack financial companies.


The goal of the recent campaigns is likely to attack people who are employed at higher positions in enterprises and have access to sensitive data. Thus, it is important for all users on LinkedIn to stay alert and look out for spear-phishing scams. In addition, experts recommend enabling MFA for accounts with access rights.
Cyware Publisher