Venom Spider / Golden Chickens (also known as badbullzvenom, Golden Chickens MaaS operator) is a state-sponsored advanced persistent threat group attributed to Canadian-Romanian (eCrime), active since 2017. The group primarily targets e-commerce, retail, hospitality, restaurant chains sectors.
Overview & Attribution
Operator of the Golden Chickens MaaS suite providing more_eggs backdoor to FIN6, Cobalt Group, and Evilnum, targeting corporate HR departments via fake job applications.
Venom Spider has been active since 2017, attributed to Canadian-Romanian (eCrime). The group is known for targeting e-commerce, retail, hospitality, restaurant chains using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: Canadian-Romanian (eCrime)
- Active since: 2017
- Primary targets: e-commerce, retail, hospitality, restaurant chains
- Also known as: badbullzvenom, Golden Chickens MaaS operator
Arsenal & Tools
Venom Spider employs a diverse arsenal of custom and shared tooling:
- more_eggs: Custom/shared tooling used in operations
- VenomLNK: Custom/shared tooling used in operations
- TerraLoader: Custom/shared tooling used in operations
- TerraRecon: Custom/shared tooling used in operations
- TerraStealer: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on e-commerce, retail, hospitality, restaurant chains sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
Venom Spider is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Fake resume/job application lures |
| Execution | T1059.007 JavaScript | more_eggs JScript backdoor |
| Persistence | T1547.001 Registry Run Keys | COM object persistence |
| Defense Evasion | T1027 Obfuscated Files | Heavy JS obfuscation |
| Credential Access | T1555.003 Browser Credentials | TerraRecon credential theft |
| C2 | T1071.001 Web Protocols | HTTPS C2 |
Notable Campaigns
Venom Spider has been linked to multiple significant campaigns targeting e-commerce, retail, hospitality, restaurant chains organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known Venom Spider IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with more_eggs and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known Venom Spider TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against Venom Spider
Mjolnir Security provides specialized capabilities to detect and respond to Venom Spider operations.
- APT Threat Hunting Proactive hunting for Venom Spider TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of Venom Spider campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts