Hackers target recruiters with fake CVs and malware
Recruiters lured into opening disguised malware hidden in CV links.
A financially driven hacking group known as FIN6 has reversed the usual job scam model by targeting recruiters instead of job seekers. Using realistic LinkedIn and Indeed profiles, the attackers pose as candidates and send malware-laced CVs hosted on reputable cloud platforms.
to type in resume URLs, bypassing email security tools manually. These URLs lead to fake portfolio sites hosted on Amazon Web Services that selectively deliver malware to users who pass as humans.
Victims receive a zip file containing a disguised shortcut that installs the more_eggs malware, which is capable of credential theft and remote access.
However, this JavaScript-based tool, linked to another group known as Venom Spider, uses legitimate Windows utilities to evade detection.
The campaign includes stealthy techniques such as traffic filtering, living-off-the-land binaries, and persistent registry modifications. Domains used include those mimicking real names, allowing attackers to gain trust while launching a powerful phishing operation.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!