The Venom Spider threat group has launched a new campaign targeting corporate Human Resources (HR) departments by leveraging spear-phishing emails containing fake resumes embedded with the More_eggs backdoor malware. This campaign abuses legitimate job application platforms to submit these malicious resumes, increasing the likelihood of bypassing initial suspicion. The attack chain is sophisticated, involving obfuscated JavaScript, LNK (Windows shortcut) files, and a dropper that generates polymorphic code on the server side. Server-side polymorphism means that the malware payload dynamically changes its code structure with each infection attempt, making traditional signature-based detection ineffective. The More_eggs backdoor enables attackers to steal sensitive information such as user credentials, customer data, and intellectual property. The campaign also incorporates evasion techniques to avoid detection by security tools. The use of spear-phishing specifically targeting HR personnel is strategic, as these employees frequently handle attachments from unknown senders during recruitment processes, increasing the risk of successful compromise. The malware leverages multiple MITRE ATT&CK techniques including command and scripting interpreter abuse (T1059.007), remote system discovery (T1016.001), user execution (T1204.002), and persistence mechanisms (T1547.001), among others. Although no known exploits in the wild have been reported yet, the campaign's complexity and targeted nature pose a significant threat to organizations, especially those with active recruitment processes and large HR departments.

For European organizations, the Venom Spider campaign represents a considerable risk to confidentiality and integrity of sensitive corporate data. HR departments often have access to personal employee information, recruitment strategies, and sometimes privileged access to internal systems. Successful compromise could lead to credential theft, enabling lateral movement within networks and potential exposure of customer data and intellectual property. This could result in financial losses, reputational damage, regulatory penalties under GDPR for data breaches, and disruption of business operations. The polymorphic nature of the malware complicates detection and response, potentially allowing prolonged undetected access. Given the targeting of HR departments, organizations with high recruitment activity or those in sectors with valuable intellectual property (e.g., technology, pharmaceuticals, finance) are at elevated risk. The campaign's evasion techniques further increase the likelihood of bypassing conventional security controls, making early detection and response challenging.

Beyond standard phishing awareness training, European organizations should implement targeted security measures for HR teams, including: 1) Deploy advanced email filtering solutions that incorporate heuristic and behavior-based detection to identify polymorphic and obfuscated payloads; 2) Enforce strict attachment handling policies, such as sandboxing all attachments from external sources, especially those related to job applications; 3) Implement application whitelisting and restrict execution of LNK files and scripts from email attachments or downloads; 4) Use endpoint detection and response (EDR) tools capable of detecting anomalous behaviors associated with backdoors and polymorphic malware; 5) Conduct regular threat hunting focused on indicators of compromise related to More_eggs and Venom Spider TTPs; 6) Enforce multi-factor authentication (MFA) across all systems to limit the impact of credential theft; 7) Maintain up-to-date asset inventories and network segmentation to contain potential breaches; 8) Collaborate with recruitment platforms to verify the authenticity of applicants and monitor for suspicious activity; 9) Establish incident response plans specifically addressing targeted phishing campaigns and backdoor infections.