FIN6 hackers are now pretending to be job seekers to hack recruiters. A well-known cybercrime group named FIN6, also known as Skeleton Spider, has come up with a new and clever way to attack companies. This time, instead of directly hacking systems or using ransomware, they are pretending to be job seekers and targeting recruiters by sending them fake resumes and links. Their goal is to trick HR professionals into downloading malware.
These hackers are reaching out to recruiters on platforms like LinkedIn and Indeed. They act like real candidates who are applying for jobs. They send what looks like a genuine message along with a resume or a portfolio link. But instead of sending a normal clickable link or document, they share plain text URLs that the recruiter has to type into their browser manually. This method helps the hackers bypass most email filters and security tools, which usually scan attachments and links for malware.
When the recruiter types the link and visits the site, it looks like a regular portfolio website. These sites are hosted on Amazon Web Services (AWS) and use domain names that sound trustworthy, such as bobbyweisman.com or kimberlykamara.com. At first glance, everything appears normal.
But what’s actually happening behind the scenes is dangerous. These websites are designed to check the environment of the user’s system. If the visitor is using a VPN, a virtual machine, macOS, or Linux, the website shows harmless content so that it doesn’t raise any suspicion. If the site detects that the visitor is using Windows, which is commonly used by companies, it serves the real malicious content.
After this, the recruiter sees a fake CAPTCHA page to make it look more legitimate. Once they solve it, they’re prompted to download a ZIP file, which is said to contain the job seeker’s portfolio or resume. Inside this ZIP file is a Windows shortcut file (.lnk) disguised as a document. When the recruiter opens it, the file secretly runs a script that downloads malware onto the system.
The malware used is called More_Eggs, and it’s very dangerous. It is a JavaScript-based backdoor that gives the attacker full remote control over the victim’s computer. This means the hacker can steal login credentials, spread to other devices in the network, install more malware, or even launch a ransomware attack. What’s even worse is that this malware is hard to detect, as it blends in with regular activity and avoids antivirus detection.
More_Eggs is not created by FIN6 themselves. It is made by another group called Venom Spider, also known as Golden Chickens, who offer it as part of a malware-as-a-service platform. This means that any cybercriminal group, like FIN6, can purchase or rent this tool and use it in their own campaigns.
What makes this attack different is that it does not target IT staff or security teams, but rather recruiters and HR professionals. These are people who usually don’t expect to be targeted by hackers, making them easy victims. Since HR teams often open resumes and portfolios from unknown sources, they’re vulnerable to this kind of social engineering.
To prevent this kind of attack, companies should take some important steps. First, HR departments need to be trained to recognize suspicious resumes or portfolio links. They should avoid typing unknown URLs into browsers and be cautious with downloading ZIP files. Organizations should also block risky file types like .lnk and use endpoint detection tools that monitor for unusual activity.
This campaign by FIN6 is a good reminder that cybersecurity is not just the responsibility of IT teams. Every department, including HR, can be a target. Hackers are getting smarter and more creative with their tactics. That’s why awareness and training are just as important as technical defenses.
Stay informed. Stay secure.
—Cybersecurity88 Editorial Team
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
