The financially driven threat group known as FIN6 has been seen using fake resumes hosted on Amazon Web Services (AWS) to distribute a malware strain known as More_eggs.
According to a report from the DomainTools Investigations (DTI) team shared with The Hacker News, the attackers pose as job seekers and engage recruiters on platforms like LinkedIn and Indeed. After building trust, they send phishing links that lead to the malware.
More_eggs, developed by another cybercriminal group known as Golden Chickens (also called Venom Spider), is a JavaScript-based backdoor. It supports credential theft, remote system access, and follow-up attacks, including ransomware. Golden Chickens is also known for creating other malware tools like TerraStealerV2 and TerraLogger.
FIN6 also known by aliases such as Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557 has been active since 2012. The group initially targeted point-of-sale (PoS) systems in the hospitality and retail sectors to steal payment card data. They have also used Magecart JavaScript skimmers to compromise e-commerce sites.
Visa reports that FIN6 has used More_eggs as an initial malware payload since at least 2018. The goal was to breach e-commerce merchants and inject malicious code into checkout pages to steal payment card information.
Secureworks notes that FIN6 monetizes this stolen data by selling it to intermediaries or on dark web marketplaces such as JokerStash, which was shut down in early 2021.
In its latest tactics, FIN6 initiates contact with recruiters by pretending to be job applicants. They share links to domains like bobbyweisman[.]com or ryanberardi[.]com, which appear to be personal portfolios hosting resumes. These domains are registered anonymously via GoDaddy, making it harder to trace and shut down the operation.
DomainTools explains that by using GoDaddy's privacy services, FIN6 can keep registrant information hidden, complicating efforts to take down these malicious domains. Although GoDaddy is a legitimate and widely used registrar, its privacy options can help threat actors remain anonymous.
The attackers also rely on reputable cloud platforms like AWS EC2 or S3 to host phishing pages. These sites include traffic filters that display the malicious content only to selected visitors. Victims must complete a CAPTCHA, after which they are offered a download link. Only users on residential IP addresses and using common Windows browsers are given the malware. Those using VPNs, cloud networks, or corporate scanners see a harmless text resume instead.
The malicious resume is downloaded as a ZIP file. When opened, it launches the infection process and installs the More_eggs malware.
Researchers concluded that the Skeleton Spider campaign shows how simple phishing strategies can be highly effective when combined with trusted infrastructure and evasion techniques. By using realistic job-related lures, avoiding detection tools, and placing malware behind CAPTCHA protections, FIN6 continues to evade many security systems.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
