FIN6, a financially motivated cybercrime group historically known for point-of-sale system breaches and ransomware operations, has pivoted to exploiting HR workflows through a sophisticated social engineering campaign. By impersonating job seekers, they target recruiters to deploy malware and infiltrate corporate networks.
Attack Methodology
- FIN6 operatives pose as qualified applicants on LinkedIn and Indeed, engaging recruiters with professionally crafted messages to build trust. This reverses traditional job scam dynamics, where attackers typically pose as employers.
- After establishing rapport, attackers send emails containing:
• Manually typed domains (e.g.,bobbyweisman.com,emersonkelly.com) to evade email security scanners
• AWS-hosted fake portfolios using trusted cloud infrastructure to avoid suspicion
Avoiding detection
The malicious sites employ checks to:
• Block VPN/cloud IPs and non-Windows users
• Serve harmless content to security tools/scanners
• Display CAPTCHA walls to confirm human targets
Malware Delivery
Qualified victims receive a ZIP file containing:
• A Windows shortcut (.LNK) that executes hidden JavaScript via wscript.exe
• The More_eggs backdoor (malware-as-a-service), enabling:
• Credential theft and lateral movement
• PowerShell execution and ransomware deployment
