In a rather creative twist in the world of cyberattacks, the hacker group known as FIN6 has started posing as job seekers. Their goal: to deceive recruiters and sneak in malware using well-crafted résumés and fake websites that appear legitimate.
FIN6, also known as “Skeleton Spider,” first gained notoriety for stealing credit card data by hacking point-of-sale systems—the kind you see in stores. But they didn’t stop there: in 2019, they leveled up by joining forces with ransomware groups like Ryuk and Lockergoga.
Lately, this group has been using social engineering campaigns to distribute a malware called “More Eggs” (yes, like “more eggs”). It’s a JavaScript-based backdoor that allows them to steal passwords, access corporate systems, and, in many cases, launch ransomware attacks.
How does the Attack Work?
Instead of pretending to be recruiters as seen in many job-related scams, the FIN6 group has flipped the script: now they pose as job candidates and directly target recruiters.
They use fake profiles with convincing photos and résumés, typically reaching out to hiring managers through platforms like LinkedIn or Indeed. At first, everything seems normal—a friendly message, a casual conversation… but then the real objective kicks in.
After building some trust, they send well-crafted emails containing links to supposed sites hosting their portfolio or résumé. The trick is that these links are not clickable—you have to copy and paste them into your browser. Why? Because this tactic helps them evade the automatic security filters many companies use to detect threats.
Email sent to recipients (Source: DomainTools)
FIN6 hackers are using anonymously registered domains, typically through GoDaddy, and hosting them on AWS—a widely used and trusted cloud platform that can be exploited by threat actors to evade some security tools.
In response to this situation, AWS has issued the following official statement, attributable to a company spokesperson:
“AWS has clear terms requiring our customers to use our services in compliance with applicable laws. When we receive reports of potential violations of our terms, we act quickly to review and take action to disable prohibited content. We value collaboration with the security research community and encourage researchers to report suspected abuse to AWS Trust & Safety through our dedicated abuse reporting process.”
Interestingly, these domains are customized with fake names, as if they truly belonged to real job candidates. Here are some examples of the fake sites they've used:
-
bobbyweisman[.]com
-
emersonkelly[.]com
-
davidlesnick[.]com
-
kimberlykamara[.]com
-
annalanyi[.]com
-
bobbybradley[.]red
-
malenebutler[.]com
-
lorinash[.]com
-
alanpower[.]red
-
edwarddhall[.]com
But that’s not all: these websites are designed to appear legitimate and employ advanced techniques to ensure that only the “right targets” can access them.
For example, if someone tries to access the site from a VPN, a cloud environment, or using Linux or macOS, they’re simply shown an innocuous-looking page that doesn’t raise any red flags. It’s a way to prevent security researchers or automated filters from detecting the scheme.
On the other hand, if the visitor passes the filter, they’re presented with a fake CAPTCHA. After that, they’re offered a ZIP file that supposedly contains a résumé… but it’s a trap. Inside is an LNK file (a disguised Windows shortcut) that, when opened, runs a script and downloads the “More Eggs” malware—a powerful backdoor that allows attackers to take control of the system.
CAPTCHA on the page
Read more: Scam Designs: How Hackers Use UX/UI to Trick You
What Is “More Eggs” and Why Should Recruiters Be Cautious?
“More Eggs” (yes, that’s its actual name) is a fairly sophisticated piece of malware created by a group known as Venom Spider. Essentially, it’s a backdoor that attackers can use to do almost anything: execute commands, steal passwords, install additional malicious software, and even run PowerShell scripts to take control of the system.
What makes this FIN6 attack particularly dangerous isn’t its technical complexity, but how cleverly it’s designed. It’s a simple yet highly effective blend of social engineering and intelligence aimed at evading security systems.
That’s why, if you work in human resources or recruitment, it’s crucial to be especially cautious when asked to review portfolios or résumés hosted on external sites. If anything seems odd—like needing to copy and paste a URL or download a ZIP file from an unfamiliar site—it’s best to be suspicious.
Moreover, both companies and recruiting agencies should independently verify candidate identities. A simple message or phone call to listed job references or previous employers can help confirm whether the person actually exists… or if they’re just a character invented by hackers.