Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

Arctic Wolf Labs describes a Venom Spider (TA4557) spear-phishing campaign targeting HR and recruiters that uses polymorphic .lnk files and obfuscated JavaScript (More_eggs_Dropper and a JavaScript backdoor) to establish persistence, evade sandboxes, and execute a modular backdoor capable of credential and data theft; the report includes technical analysis, IOCs (hashes, domains, file paths), YARA rules, MITRE ATT&CK mapping, and remediation/detection recommendations.