Cybercriminals are increasingly applying for jobs, posing as potential candidates. Their sole goal is to convince recruiters to open their malicious resumes.
Financially motivated cybercriminals have found a weak link in organizations’ security: hiring managers opening resumes provided by applicants.
Security researchers from DomainTools are warning about a threat actor known as Skeleton Spider or FIN6, which is actively exploiting a novel vector to deploy ransomware. They pose as job seekers, initiate conversations through LinkedIn, Indeed, and other platforms, build rapport, and then exploit professional trust.
“FIN6 uses trusted cloud services, such as AWS, to host malicious infrastructure, evade detection, and ultimately deploy malware through socially engineered lures,” said the threat intelligence firm, which specializes in Whois and other DNS profile data.
The attack starts with an apparently innocuous email impersonating a job applicant. But the danger does not come from the inbox directly. The fake applicant will appear enthusiastic and initiate contacts on LinkedIn and Indeed before following up with the real threat.
“This adds a layer of authenticity and increases the chances of the recruiter trusting the source.”
In a final phishing message, the hacker directs recruiters to visit their personal website with a portfolio and resume. The message is carefully crafted not to include any links that could be detected by security filters.
The malicious websites’ domains mimic the applicants by combining first and last names. These phishing sites are hosted on AWS and other trusted cloud providers. To further protect from detection, the threat actor adds filtering logic to the websites, so they are only served to the intended victims.
“FIN6 uses trusted cloud services, such as AWS, to host malicious infrastructure, evade detection, and ultimately deploy malware through socially engineered lures,”
said the report.
The malicious websites will check for IP and geolocation to exclude VPNs and known threat intelligence networks, filter out visitors with Linux or uncommon user agents, and provide a CAPTCHA puzzle to ensure human presence.
“If the visitor originates from a known VPN service, cloud infrastructure like AWS, or corporate security scanners, the site instead delivers a harmless plain-text version of the resume,” the report reads.
However, if a visitor meets all the meticulously placed conditions, the website will eventually offer a ZIP download. And this ZIP file could deliver the worst possible malware.
In the current campaign, the ZIP archive contains a disguised Windows shortcut (.LNK) file that executes a hidden JavaScript, which ultimately downloads a backdoor called “More_eggs” from external resources. More_eggs is a modular backdoor that allows for command execution, credential theft, and follow-on payload delivery, often operating in memory to evade detection.
Hackers can create unlimited combinations of malicious domains. Researchers observed the following:
- bobbyweisman[.]com
- emersonkelly[.]com
- davidlesnick[.]com
- kimberlykamara[.]com
- annalanyi[.]com
- bobbybradley[.]net
- malenebutler[.]com
- lorinash[.]com
- alanpower[.]net
- edwarddhall[.]com
“These sites often display a professional-looking fake resume, complete with a CAPTCHA to verify human access,” the researchers warn.
DomainTools recommends recruiters never download ZIP files unless verified by the IT team.
“Avoid manually typing in resume links from unknown senders. Be cautious of CAPTCHA-protected resume sites.”
Network defenders can block the execution of .LNK files inside ZIPs from untrusted sources, monitor suspicious outbound traffic, implement policies for scripting engine abuse, watch for persistence indicators in the Registry and scheduled tasks.
Your email address will not be published. Required fields are markedmarked