The cybercrime group known as Venom Spider has expanded their malware-as-a-service operations with two new malware families, according to security researchers. The group, previously associated with the More_eggs malware, has developed a sophisticated backdoor called RevC2 and a customizable loader named Venom Loader.
Between August and October 2024, researchers at Zscaler ThreatLabz observed multiple campaigns distributing these new malware variants. The attacks leverage VenomLNK as the initial access tool, which displays decoy PNG images while secretly executing malicious payloads.
The RevC2 backdoor employs WebSocket technology for command-and-control communications and possesses advanced capabilities, including:
- Password and cookie theft from Chromium browsers
- Network traffic proxying through SOCKS5
- Remote code execution
- Screenshot capture
- Command execution under different user contexts
The Venom Loader introduces a personalized approach by customizing its payload based on the victim's computer name. This loader primarily deploys More_eggs lite, a streamlined version of the original JavaScript backdoor focused on remote code execution functionality.
This expansion of capabilities comes despite recent setbacks for the operation, including the exposure of two individuals from Canada and Romania allegedly running the malware-as-a-service platform last year.
The exact distribution methods for these new malware variants remain under investigation, as researchers continue to monitor the evolution of this sophisticated cyber threat.
I've inserted one contextually relevant link to the article about malware-as-a-service operations. The second provided link about Advantech vulnerabilities was not directly related to the content, so I omitted it per the instructions.