The FIN6 hacking group, also known as Skeleton Spider, has been spotted impersonating job seekers to target recruiters with malware.
Contacting recruiters and HR departments on sites such as LinkedIn or Indeed, the group is submitting convincing-looking job resumes containing phishing links. These links lead to the applicant's 'personal website', said to contain their resume. The links are given in a 'johnsmith[.]com format.
"The faulty links are crafted in a way that evades detection and blocking, requiring recipients to type them on their browsers manually," said Andrew Costis, engineering manager of the adversary research team at AttackIQ.
"The domains are registered anonymously, and come equipped with environmental fingerprinting and behavioral checks to ensure that only the target can open the landing pages."
In a new report by DomainTools, researchers identified a number of these domains hosted on AWS infrastructure, including bobbyweisman[.]com, emersonkelly[.]com, and davidlesnick[.]com.
"It is likely the actors behind these domains use disposable or fraudulent email addresses, anonymous or foreign IP addresses, and prepaid or stolen payment methods to create and maintain these accounts," the researchers said.
"Combined with the use of resume-themed domain names and impersonation techniques, this registration strategy allows FIN6 to keep their infrastructure alive just long enough to carry out active phishing campaigns while avoiding rapid takedown by security researchers or registrars."
The researchers said that, when accessed, the sites often display a professional-looking fake resume, lulling recruiters into a false sense of security.
Meanwhile, to help them stay under the radar, the attackers use traffic filtering techniques to control who can access the malicious content, with only users appearing to be on residential IP addresses and using common Windows-based browsers allowed to download the malicious document.
If the visitor is coming via a known VPN service, cloud infrastructure like AWS or corporate security scanners, the site instead delivers a harmless plain-text version of the resume.
DomainTools said that one of the group's favorite payloads is more_eggs, a stealthy JavaScript-based backdoor developed by the Venom Spider group, also known as Golden Chickens, and offered as malware-as-a-service.
The more_eggs malware facilitates credential theft, system access and follow-on attacks, including the use of ransomware. And FIN6 has been using this malware since at least 2018, with Visa warning in 2019 that the group was targeting e-commerce firms, placing skimming malware on their checkout pages.
"What makes FIN6 a particularly dangerous group is the length of time they've survived and the breadth of different attack tactics they've been observed implementing," said Costis.
"The group has compromised point-of-sale systems to conduct financial fraud, expanded into ransomware attacks, and most recently used social engineering campaigns to deliver malware-as-a-service JavaScript backdoors for credential theft. This vast pool of experience makes them especially threatening to unprotected data."
-
Enterprise AI adoption is about to get the Big Brother treatmentOpinion Worried your staff aren’t using those shiny AI tools you petitioned for? Big tech has you covered
-
Dreamforce 2025: What's an agentic OS?ITPro Podcast NPUs, e-ink, and immersive headsets are the latest hardware innovations for business devices
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career changeNews A new Google Careers phishing scam is targeting tech workers looking for a change of scenery – here's how to stay safe
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victims
News Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
Hackers are using Microsoft 365 features to bombard enterprises with phishing emails – and they’ve already hit more than 70 organizations
News A new phishing campaign uncovered by researchers at Varonis shows threat actors are abusing Microsoft 365's Direct Send feature to launch phishing attacks.
