S0284: More_eggs
More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1][2]
Analyst context for executives and security teams
More_eggs is a Windows JScript backdoor associated in ATT&CK with financially motivated groups including FIN6, Cobalt Group, and Evilnum. Its business significance is not just “malware exists”; the mapped behaviors show a backdoor that can discover host, user, network, and security-tool context, communicate over web protocols, transfer additional tools, and use obfuscation or trusted Windows components such as Regsvr32 to make response harder.
Executive priority
Prioritize this as a validation scenario for Windows endpoint resilience, payment/financial operations exposure, and SOC readiness. The related groups are described by ATT&CK as financially motivated, with FIN6 linked to payment card theft and PoS compromise, and Cobalt Group linked to financial institution targeting. Leaders should ask whether critical Windows environments have enough endpoint, process, file, and network evidence to reconstruct discovery, C2, tool transfer, and cleanup activity if a More_eggs-like backdoor is found.
Technical view
ATT&CK provides no official detection text for More_eggs, so defenders should validate coverage through its mapped behaviors rather than a single malware signature. On Windows, focus on JScript/backdoor execution context, command-shell activity, Regsvr32 proxy execution, system/user/network/security software discovery, encoded or encrypted artifacts, web-protocol C2 patterns, ingress tool transfer, and file deletion. Because several related techniques are broader than Windows in ATT&CK, scope testing to the object-supported platform first: Windows.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and regsvr32.exe activity
- Script execution evidence relevant to JScript-based malware
- File creation, modification, deletion, and encoded/encrypted artifact observations
- Network connection and web proxy/DNS logs for outbound HTTP/S or other web-protocol communications
- Host discovery command output or execution traces for system, user, network, and security software enumeration
Detection direction
- Do not rely only on static malware names; tune detections around the ATT&CK-mapped behaviors: discovery, Windows command shell execution, Regsvr32 abuse, web-protocol C2, standard encoding, symmetric cryptography indicators, ingress tool transfer, and file deletion.
- Correlate short sequences: script execution or Regsvr32 activity followed by discovery commands, outbound web traffic, file downloads, and cleanup. This sequence-based view can reduce false positives from legitimate administration.
- Baseline legitimate Regsvr32, cmd.exe, and web traffic patterns on critical Windows systems before using high-severity alerts, because these tools and protocols may be used legitimately.
- Validate whether security software discovery is visible; gaps here matter because the mapped behavior indicates adversaries may check installed defensive tooling before follow-on actions.
- Preserve enough proxy, DNS, endpoint, and file telemetry for incident response, since encoded/encrypted traffic and file deletion can reduce post-incident evidence.
Mitigation priorities
- Ensure critical Windows endpoints are covered by endpoint logging and response controls capable of recording process, script, file, and network activity.
- Restrict and monitor abuse-prone native utilities such as Regsvr32 and command shell where business operations allow.
- Harden egress controls and web proxy inspection for unusual outbound web-protocol communications from endpoints that should not initiate them.
- Improve control validation for discovery behavior: user, system, network configuration, and security software enumeration should be observable and triaged in context.
- Maintain incident response playbooks for backdoor findings that include host isolation, evidence preservation, review of downloaded tools, cleanup verification, and scoping across payment or financial operations where relevant.
Analyst notes and limits
The most useful defensive framing is behavior-chain validation. More_eggs is described as a JScript backdoor with at least versions 2.0 and 4.4, and ATT&CK relationships map it to discovery, execution, command-and-control, stealth, and defense-impairment techniques. The FIN6, Cobalt Group, and Evilnum relationships justify financial-risk prioritization, but local exposure depends on the organization’s Windows estate and telemetry quality.
MITRE does not provide official detection guidance in the supplied object, and the object itself lists no tactics. Technique relationships provide defensive direction, but they do not prove activity in any specific environment. No active exploitation, customer exposure, or guaranteed detection coverage should be inferred from this object alone.
More_eggs
More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | |
| Enterprise | T1553.002 | Code Signing Sub-technique | |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | |
| Enterprise | T1033 | System Owner/User Discovery |
Groups, software, and campaigns
G0120: Evilnum
G0037: FIN6
G0080: Cobalt Group
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[1][2][3][4][5][6][7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[8]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.1 | Current bundle | bc783d3d9f6c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Cobalt Group July 2018
Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
Open source URL -
[2]
Security Intelligence More Eggs Aug 2019
Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
Open source URL -
[3]
ESET EvilNum July 2020
Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
Open source URL -
[4]
Visa FIN6 Feb 2019
Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
Open source URL -
[5]
Crowdstrike GTR2020 Mar 2020
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
Open source URL -
[6]
More_eggs
(Citation: Talos Cobalt Group July 2018)(Citation: ESET EvilNum July 2020)
-
[7]
SKID
(Citation: Crowdstrike GTR2020 Mar 2020)
-
[8]
SpicyOmelette
(Citation: Security Intelligence More Eggs Aug 2019)
-
[9]
Terra Loader
(Citation: Security Intelligence More Eggs Aug 2019)(Citation: Visa FIN6 Feb 2019)
-
[10]
mitre-attack S0284Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.