FIN6 Switches Tactics: From POS Fraud to HR-Focused Cyberattacks
The threat group FIN6, also known as Skeleton Spider, is now targeting recruiters and human resources departments with a phishing campaign that uses fake job seekers to deliver malware. Known for earlier attacks on point-of-sale (POS) systems and ties to ransomware operations like Ryuk and Lockergoga, FIN6 has shifted toward credential theft and system backdooring via social engineering.
HR Departments Targeted Through LinkedIn and Indeed
Instead of posing as recruiters, FIN6 now flips the script—posing as applicants. Using fake identities, they contact recruiters on platforms like LinkedIn and Indeed. The threat actors build trust through messages before sending follow-up emails with resume links.
The links are not clickable. Victims are told to manually type in the resume site address, which is designed to evade email security tools. These domains are anonymously registered through GoDaddy and hosted on Amazon Web Services (AWS), which helps them avoid detection due to AWS’s trusted reputation.
Example Domains Used in the Attack
The domains are themed around fictional applicants and include:
bobbyweisman[.]comemersonkelly[.]comkimberlykamara[.]combobbybradley[.]netalanpower[.]netedwarddhall[.]com
Each of these sites is carefully designed to appear legitimate and bypass automated analysis.
Behavioral Fingerprinting Filters Out Non-Targets
FIN6 uses advanced behavioral checks and environmental fingerprinting to control who sees the malicious content. If a connection is made via a VPN or from Linux/macOS systems, the site serves harmless content. Only users on expected configurations—typically corporate Windows systems—can reach the malware payload.
Malware Delivery via Resume ZIP Files
Once a recruiter reaches the targeted landing page, they are prompted to complete a fake CAPTCHA step. After that, they’re encouraged to download a ZIP file supposedly containing the candidate’s resume.
The ZIP contains a disguised .LNK Windows shortcut file that executes a script to download More_Eggs, a JavaScript backdoor.
More_Eggs, developed by another actor called Venom Spider, is a modular backdoor-as-a-service. Once active, it can:
- Execute commands remotely
- Steal credentials
- Deliver further malware payloads
- Run PowerShell scripts silently
This malware enables FIN6 to move laterally across corporate networks, gather sensitive data, or deliver ransomware.
FIN6’s HR-Focused Spear-Phishing Technique Explained
The full attack chain follows a clear sequence:
- Impersonation: Threat actors create convincing applicant personas.
- Outreach: They contact recruiters via job platforms.
- Phishing email: A follow-up message includes a non-clickable resume site URL.
- Fake site: Hosted on AWS, personalized using fingerprinting.
- CAPTCHA and download: Victim sees a CAPTCHA and downloads a booby-trapped resume file.
- Malware delivery: The LNK file downloads the More_Eggs JavaScript backdoor.
FIN6’s Sophistication Lies in Simplicity and Targeting
DomainTools researchers, who tracked this activity, emphasize that FIN6’s method is low in technical complexity but high in effectiveness. By flipping the traditional job scam model and focusing on trusted recruiters, FIN6 bypasses common email security and sandbox environments.
This FIN6 credential theft campaign is one of the first to weaponize the HR screening process so directly and effectively.
Key Protective Measures for Recruiting Teams
Recruiters and HR staff should stay alert, especially when asked to download resumes from external links. Key recommendations include:
- Verifying job applicant identities before clicking any links or downloading resumes
- Avoiding manual entry of URLs from emails
- Using sandbox environments for file and link analysis
- Blocking ZIP attachments with embedded LNK files
- Monitoring for behavioral signs of FIN6 malware activity on endpoints
No major ransomware deployment has been confirmed in relation to this campaign yet, but the delivery of More_Eggs gives FIN6 broad post-exploitation options, including potential ransomware deployment in the future.
As FIN6 evolves from PoS hacks to recruitment-based phishing, enterprise defenses must keep pace—especially those responsible for hiring and HR operations.
