The notoriously famous FIN6 hacking group has adopted a novel tactic: masquerading as highly desirable job candidates to infiltrate the networks of unsuspecting corporate recruiters. This sophisticated campaign, leveraging convincing resumes and deceptive phishing sites, aims to establish backdoors for credential theft, system access, and potentially, ransomware deployment, exposing a critical new vulnerability in the hiring pipeline.
The digital landscape, already filled with evolving threats, has witnessed a twist in the playbook of one of the cybersecurity world’s most formidable adversaries. FIN6, an elite hacking collective previously known for its prowess in financial fraud and devastating ransomware attacks, has reportedly pivoted its social engineering tactics. Instead of luring job seekers, the group is now cunningly impersonating them, deploying professionally crafted resumes and sophisticated phishing sites to establish footholds within the very systems that safeguard corporate hiring. This shift exposes a critical new vulnerability within the human resources sector, where the quest for talent can unwittingly become a conduit for advanced persistent threats.
FIN6, also identified by intelligence agencies as “Skeleton Spider,” initially rose to prominence through large-scale financial compromises, particularly targeting point-of-sale (PoS) systems to illicitly obtain credit card information. However, beginning in 2019, the group significantly expanded its nefarious operations, integrating itself into the lucrative world of ransomware, partnering with notorious strains such as Ryuk and Lockergoga. Their latest campaign marks a strategic evolution, demonstrating a keen understanding of human psychology and corporate security protocols, utilizing ‘More Eggs’ – a versatile JavaScript backdoor-as-a-service – to facilitate credential theft, deeper system access, and the potential deployment of further malicious payloads.
The Lure of the ‘Perfect Candidate’: A Deceptive Recruitment Drive
The heart of FIN6’s current operation lies in its deceptive approach to recruitment. Forsaking the traditional role of a malicious recruiter, the group now crafts convincing job seeker personas, initiating contact with human resources departments and recruiters via popular professional networking platforms like LinkedIn and Indeed. This initial outreach is designed to build rapport, creating an illusion of legitimacy and a genuine interest in career opportunities.
Once this initial trust is established, the interaction subtly shifts. Professionally written phishing emails follow, but with a critical twist: they intentionally contain non-clickable URLs to their “resume sites.” This deliberate design choice serves a dual purpose: it forces the recipient to manually type the URL into their browser, bypassing automated email security filters that might flag suspicious links, and it adds an extra layer of perceived legitimacy, as if the sender is avoiding typical spam traps.
The domains themselves are meticulously prepared. Registered anonymously through GoDaddy, they are hosted on Amazon Web Services (AWS), a cloud service provider widely regarded as trusted and, crucially, not commonly flagged by security tools for malicious content. This allows the fake resume sites to operate under the radar, further cementing their deceptive authenticity. Examples of domains observed in these campaigns, named after the fabricated personas, include:
- bobbyweisman[.]com
- emersonkelly[.]com
- davidlesnick[.]com
- kimberlykamara[.]com
- annalanyi[.]com
- bobbybradley[.]net
- malenebutler[.]com
- lorinash[.]com
- alanpower[.]net
- edwarddhall[.]com
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Evasion and Exploitation
FIN6’s sophistication extends beyond mere phishing. To ensure their efforts are not wasted on security analysts or automated systems, the group has integrated environmental fingerprinting and behavioural checks into their attack chain. Attempts to access the landing pages from VPN or cloud connections, or from operating systems like Linux or macOS, are immediately blocked. Instead, these visitors are served innocuous content, preventing early detection and analysis of the malicious payload. Only qualified victims, typically those accessing from standard corporate Windows environments, are allowed to proceed.
Legitimate targets are then presented with a seemingly innocuous fake CAPTCHA step. Successfully navigating this visual verification leads to the final, critical stage: the prompt to download a ZIP archive. This archive, ostensibly containing a resume or professional portfolio, is in fact a Trojan horse. Inside lies a disguised Windows shortcut file (LNK) which, upon execution, triggers a script. This script covertly initiates the download of the ‘More Eggs’ backdoor. Developed by a threat actor known as “Venom Spider,” ‘More Eggs’ is a highly modular and potent backdoor, capable of a range of post-compromise activities including arbitrary command execution, comprehensive credential theft, delivery of additional malicious payloads, and sophisticated PowerShell execution.
A New Vulnerability in the Hiring Pipeline
The simplicity yet effectiveness of FIN6’s latest attack lies in its masterful blend of social engineering and advanced evasion techniques. As this threat proliferates, cybersecurity experts are urging extreme caution. Recruiters and HR employees are advised to approach invitations to review resumes or portfolios with heightened skepticism, especially if they involve visiting external websites to download documents. Companies and recruiting agencies should implement rigorous protocols for independently confirming a candidate’s identity, including contacting listed references or verifying employment with previous companies, before engaging in further digital interaction or downloading any external files.
The FIN6 campaign serves as a stark reminder that in the interconnected digital age, every seemingly innocent interaction, even those integral to everyday business functions like recruitment, can be weaponized. The onus is now on organisations to adapt their defences and employee training to counter these evolving, increasingly subtle, and dangerously effective cyber threats.
About the author – Prakriti Jha is a student at National Forensic Sciences University, Gandhinagar, currently pursuing B.Sc. LL.B (Hons.) with a keen interest in the intersection of law and data science. She is passionate about exploring how legal frameworks adapt to the evolving challenges of technology and justice.