HR Professionals Targeted! The Next Candidate Might Be Malware - Know How More _Eggs Malware Is Spreading

Could your next job application deliver malware?

Imagine you're a recruiter, sifting through resumes of potential candidates for an open position, and one of them looks promising. You download the attachment, open it, and unknowingly, you've just invited a dangerous malware into your company's system. This is exactly how the More_eggs malware operates—by sneaking into corporate networks through fake job applications sent to HR professionals.

In recent years, spear-phishing campaigns, which use seemingly legitimate email attachments to lure victims, have become a primary tool for attackers. One particularly insidious threat targeting HR departments is the More_eggs malware, a sophisticated JavaScript backdoor that arrives via fake resumes. But what exactly is More_eggs, and how can organizations defend against it?

What is More_Eggs Malware?

More_eggs is a type of malware delivered as part of the Golden Chickens malware-as-a-service (MaaS) platform. This JavaScript backdoor has become notorious for targeting recruiters and HR professionals through fake job applications, often shared via phishing emails or malicious links on platforms like LinkedIn. Attackers disguise themselves as job applicants and attach malicious files designed to appear as legitimate resumes.

Once these files are downloaded and opened, the backdoor is activated, allowing the attacker to gain control of the compromised system. The malware can steal sensitive data such as credentials for email accounts, bank accounts, and even IT systems. In essence, More_eggs provides attackers with a foothold in an organization's network, opening the door to more destructive activities like data theft, espionage, or ransomware attacks.

How Does More_Eggs Work?

The infection process usually begins with a spear-phishing email containing a malicious attachment or link. Once the victim downloads the resume, typically a .zip or .lnk (Windows shortcut) file, the file executes a series of commands that install the More_eggs backdoor. This backdoor then connects to the attacker's command-and-control (C2) server, enabling them to execute further commands or download additional malware.

According to cybersecurity experts, More_Eggs not only conducts reconnaissance on the compromised host but also can receive and execute secondary payloads, making it a multi-stage attack. The malware's flexibility and the outsourcing of various components via MaaS make it challenging to attribute these attacks to a specific threat actor. However, it is believed that the Golden Chickens group, also known as Venom Spider, is behind its development and deployment​.

Latest News on More_Eggs Malware

Recent investigations have shown that attacks using More_eggs have evolved. A campaign detected in August 2024 targeted recruitment officers in sectors like engineering, where a carefully crafted email tricked a talent search lead into downloading a seemingly innocent resume. The malicious URL led the victim to download a More_eggs-infected file, resulting in a full system compromise​.

This campaign is not an isolated event. In June 2024, a similar attack was observed where phony resumes were distributed via LinkedIn, leading to the same infection method using a malicious .lnk file​.

Why HR Professionals?

Recruitment professionals are an attractive target because they frequently receive attachments and interact with strangers. The sheer volume of resumes and job applications they process increases the likelihood that a malicious file will slip through undetected. Moreover, many HR professionals might lack advanced cybersecurity training, making them vulnerable to phishing attempts. The attackers capitalize on the trust HR personnel often place in job applications.

Staying Safe: How to Protect Against More_Eggs

Here are some practical steps HR departments and organizations can take to avoid falling victim to More_eggs and similar threats:

• Train Employees on Phishing Awareness: Regular training on recognizing phishing emails and malicious attachments is crucial. Employees, especially those in HR, should be vigilant about downloading files from unknown sources.
• Email Filtering and Security Solutions: Implement robust email filtering tools that can detect and block malicious emails before they reach the inbox. Advanced threat detection systems can identify suspicious file types like .lnk and .zip files attached to emails.
• Endpoint Security Solutions: Deploy comprehensive endpoint protection software that can monitor, detect, and block malware like More_eggs at the initial stage of infection.
• Regular Patching and Updates: Ensure all software, including operating systems and email platforms, is regularly updated to patch known vulnerabilities that attackers might exploit.
• Multi-Factor Authentication (MFA): Enforce MFA across all company accounts to add an extra layer of protection in case credentials are compromised.
• Penetration Testing: Regularly conduct penetration testing to identify vulnerabilities in your organization's cybersecurity defenses, particularly in departments like HR that are frequent targets​.

The Future of Recruitment Attacks: What to Expect?

The rising trend of malware attacks targeting HR professionals isn't slowing down anytime soon. With threat actors continuously refining their methods, spear-phishing campaigns are likely to grow in sophistication, combining social engineering tactics with the evolving landscape of malware-as-a-service platforms like More_eggs.

Organizations must stay ahead of these threats by strengthening both their technological defenses and human awareness. The collaboration between HR and IT teams is more critical than ever to ensure that recruitment processes are secure from cyber threats.

Don't Let More_Eggs Hatch in Your Network

The reality of malware like More_eggs is a stark reminder that cybercriminals will exploit any vulnerable entry point into an organization. While this malware may arrive disguised as a job application, its damage is anything but innocent. Protecting your organization from such threats begins with awareness, training, and robust cybersecurity measures.

If you're an HR professional or part of a recruitment team, it's essential to understand that the next resume you download might be more than just a job application—it could be a cyber threat. Stay informed, stay vigilant, and ensure your company doesn’t fall victim to this growing menace.