The sub-techniques beta is now live! Read the release blog post for more info.


More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1][2]

ID: S0284
Associated Software: Terra Loader, SpicyOmelette
Platforms: Windows
Contributors: Drew Church, Splunk
Version: 2.0
Created: 17 October 2018
Last Modified: 15 October 2019

Associated Software Descriptions

Name Description
Terra Loader [2][3]
SpicyOmelette [2]

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing

More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.[2]

Enterprise T1059 Command-Line Interface

More_eggs has used cmd.exe for execution.[2]

Enterprise T1132 Data Encoding

More_eggs has used basE91 encoding, along with encryption, for C2 communication.[2]

Enterprise T1022 Data Encrypted

More_eggs has used an RC4-based encryption method for its C2 communications.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

More_eggs will decode malware components that are then dropped to the system.[2]

Enterprise T1107 File Deletion

More_eggs can remove itself from a system.[1][2]

Enterprise T1117 Regsvr32

More_eggs has used regsvr32.exe to execute the malicious DLL.[2]

Enterprise T1105 Remote File Copy

More_eggs can download and launch additional payloads.[1][2]

Enterprise T1063 Security Software Discovery

More_eggs can obtain information on installed anti-malware programs.[1]

Enterprise T1071 Standard Application Layer Protocol

More_eggs uses HTTPS for C2.[1][2]

Enterprise T1082 System Information Discovery

More_eggs has the capability to gather the OS version and computer name.[1][2]

Enterprise T1016 System Network Configuration Discovery

More_eggs has the capability to gather the IP address from the victim's machine.[1]

Enterprise T1033 System Owner/User Discovery

More_eggs has the capability to gather the username from the victim's machine.[1][2]

Groups That Use This Software

ID Name References
G0080 Cobalt Group [1]
G0037 FIN6 [2]