Since uncovering the Malware-as-a-service provider “Golden Chickens” back in 2018, we are carefully tracking the evolution of the Golden Chickens (GC) Malware-as-a-Service provider (MaaS) and how different threat actors use it. 

Latest Golden Chickens Activity

Lately, a new spear-phishing campaign is actively targeting LinkedIn members using personalized job offers as a lure. A threat actor group is sending job offers that have the same name as that of the victims’ job titles from their LinkedIn profiles. Upon opening the ZIP file that comes with the fake offer, the stealthy installation of the fileless backdoor more_egg is initiated and will eventually allow the attacker to remotely control the victim’s computer.

About two weeks ago, we first observed a campaign resulting in the same C2. We attribute the activity to FIN6.

To access our latest research on Golden Chickens and other active threat actor groups, malware, etc. request a free trial of Mercury

To help you stay informed on the latest development, we created a compilation of all our public research on Golden Chickens. 

Our Past Golden Chickens Research 

#1 Golden Chickens: Uncovering a Malware-as-a-Service (MaaS) Provider

This blog post provides an overview on a specific Malware-as-a-Service (MaaS) used within the e-Crime threat actor landscape. It also provides details on two different threat actors using the MaaS that fall under the umbrella of a family we dubbed Golden Chickens: GC01 and GC02.

#2 The Chicken Keeps Laying New Eggs: Uncovering New GC MaaS Tools Used By Top-tier Threat Actors

In 2019, we uncovered and classified seven additional tools linked to the GC MaaS, which add to the four ones we uncovered in 2018.

#3 GOLDEN CHICKENS: Evolution of the MaaS

Throughout March and April 2020, QuoIntelligence (formerly: QuoINT) observed four attacks utilizing various tools from the Golden Chickens (GC) Malware-as-a-Service (MaaS) portfolio. We are now declassifying our findings for the general public.