Fake Job Applications Used to Spread Malware to HR Teams

A new phishing campaign has been identified, specifically targeting HR professionals with fake job applications that deliver a malicious backdoor known as More_eggs.

These attacks, which use spear-phishing tactics, disguise malware as seemingly legitimate resumes, tricking recruiters into downloading harmful files.

In one case, a recruiter downloaded a resume file from a suspicious URL, unknowingly activating the More_eggs backdoor. This malware, which operates as a Malware-as-a-Service (MaaS), can steal sensitive credentials like bank, email, and IT administrator information.

The attack is attributed to the Golden Chickens group, also known as Venom Spider, and is used by multiple cybercrime groups such as FIN6 and Cobalt.

Previously, similar attacks were seen where LinkedIn was used to distribute phony resumes in the form of Windows shortcut files (LNK), leading to malware infection.

In this newer wave of attacks, threat actors employed spear-phishing emails to establish trust and lure their targets. A recruitment officer received a resume disguised as “John Cboins.zip,” which contained a malicious LNK file. Opening the file triggered a chain of obfuscated commands that led to the installation of the More_eggs malware.

Once activated, More_eggs performs reconnaissance on the infected system and communicates with a command-and-control server to install further malware payloads.

Some variations of this campaign include PowerShell and Visual Basic Script (VBS) components, adding more layers to the attack. The use of MaaS complicates attribution, as various cybercriminal groups can exploit the same malware infrastructure, making it difficult to pinpoint the responsible actors.

This campaign bears similarities to earlier attacks tied to FIN6, which is known for using similar techniques and tools. Another report revealed that FIN7, a different cybercrime group, has been leveraging a private packer called PackXOR to encrypt malware payloads, further complicating detection efforts. In addition, FIN7 has used AI-related honeypot websites to lure users into downloading malware like Redline Stealer and D3F@ck Loader.

Parallel campaigns have also been identified, with fake websites impersonating well-known brands like Microsoft and SAP Concur, tricking users into installing browser extensions that deliver malware such as NetSupport RAT. These fake websites often rank high in search results, driven by SEO tactics designed to increase their visibility.

To prevent such phishing attacks, HR teams and organizations should employ strict security measures, including email filtering to detect suspicious attachments, and multi-factor authentication to safeguard sensitive systems. Organizations should also ensure that security solutions are updated to detect the latest malware strains, and restrict the execution of potentially malicious scripts.