Fake LinkedIn Job Offer Malware

Social Media
Advisory ID:
April 12, 2021


A new spear-phishing campaign has been discovered to be targeting professionals on LinkedIn with weaponized job offers in an attempt to infect targets with a sophisticated and dangerous backdoor trojan called "more_eggs." According to researchers, the threat actors are using zip files to trick LinkedIn users into executing the More_eggs backdoor.

Description & Consequence

In the spearphishing incident, upon downloading and executing the alleged job file, the victim would have unwittingly executed VenomLNK, an initial stage of more_eggs. By abusing Windows Management Instrumentation , VenomLNK enables the malware’s plugin loader, TerraLoader, which then hijacks legitimate Windows processes, cmstp and regsvr32. While TerraLoader is being initiated, a decoy word document is presented to the victim. The document is designed to impersonate a legitimate employment application, but it serves no functional purpose in the infection. It is merely used to distract the victim from the ongoing background tasks of more_eggs. TerraLoader then installs msxsl in the user’s roaming profile and loads the payload, TerraPreter, an ActiveX control (.ocx file) downloaded from Amazon Web Services. At this point, TerraPreter begins beaconing to a Command & Control server (C2) via the rogue copy of msxsl. The beacon signals that the more_eggs backdoor is ready for Golden Chicken’s customer to log in and begin carrying out their goal, whether it is to infect the victim with additional malware, such as ransomware, or to get a foothold into the victim’s network so as to exfiltrate data.

Upon infection, the malware takes full control of a targeted system allowing hackers to remotely use it for malicious purposes including sending, receiving, deleting, and executing files. At that time, attackers posed as staffing companies to send compromised and malicious website links to job seekers and later followed up via emails. In both cases, the aim was to infect victims’ devices with the More_eggs backdoor to steal data.

Additionally, hackers can also drop new malware on the system that can trigger ransomware infection ultimately locking victim’s files and demand ransom for decrypting keys.

Researchers also warn that the More_eggs backdoor can also exfiltrate data from a device putting your social media accounts, emails, browsing history, cryptocurrency wallets at risk of being stolen.


  1. LinkedIn users should refrain from clicking on links sent by people on social media especially from unknown and anonymous users.
  2. LinkedIn users are recommended to avoid clicking on zip or executable file at all costs. However, If you have already downloaded a file, be sure to scan it with a reliable anti-malware, but be aware that most targeted malware campaigns deliver files that are not detected by any anti-malware or anti-virus software for at least a day or two after the campaign starts, so even a seemingly safe file scan could be misleading.
  3. Furthermore, you can also scan for malicious links and files on VirusTotal, but you should be aware that any files you submit to VirusTotal can be examined by security researchers, so it is not a good idea to submit any file containing sensitive personal or company proprietary information. Either way, your security is in your hand


  1. https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire
  2. https://thehackernews.com/2021/04/hackers-targeting-professionals-with.html   
  3. https://www.binarydefense.com/threat_watch/fake-linkedin-job-offer-delivers-more_eggs-backdoor/


Related Articles