In a notable shift from traditional social engineering tactics, the financially motivated FIN6 hacking group has begun impersonating job seekers to compromise recruiters’ devices. This campaign leverages convincing resumes and phishing sites to deliver the More_eggs malware, which acts as a gateway for GoldenEye ransomware and credential theft1. The operation exploits HR workflows and uses the Malware-as-a-Service (MaaS) toolkit *Golden Chickens*, marking a significant evolution in recruitment-based attacks2.
TL;DR: Key Points
- Tactic: FIN6 impersonates job seekers, attaching malicious `.lnk` files to fake resumes.
- Malware: More_eggs backdoor enables GoldenEye ransomware and credential theft.
- Targets: HR departments and recruiters in finance, tech, and healthcare sectors.
- Mitigation: Verify job applicants via official channels; monitor for suspicious `.lnk` files.
Attack Chain and Technical Details
The campaign begins with fake job applications sent to recruiters, often via LinkedIn or email. These applications include resumes with embedded `.lnk` files that execute PowerShell scripts to fetch More_eggs from attacker-controlled servers3. Once installed, the malware establishes persistence and communicates with C2 servers using encrypted channels, often mimicking legitimate HR software traffic.
More_eggs is modular, allowing attackers to deploy additional payloads like GoldenEye ransomware or banking trojans. Recent analysis by Trend Micro reveals that FIN6 has updated its infrastructure to evade detection, using compromised recruitment agency domains for phishing sites4.
Broader Threat Landscape
This tactic mirrors trends observed in other campaigns, such as North Korea’s Lazarus Group impersonating Capital One recruiters to deliver malware via fake coding tests5. Similarly, DPRK-linked actors have placed AI-generated fake remote workers in EU/UK firms, with over 300 infiltrations reported in 20246.
| Group | Malware | Target Sector |
|---|---|---|
| FIN6 | More_eggs, GoldenEye | Finance, Healthcare |
| Lazarus Group | BeaverTail, InvisibleFerret | Tech, Crypto |
Mitigation Strategies
For organizations:
- Implement application whitelisting to block `.lnk` files from untrusted sources.
- Use sandboxed environments to review suspicious attachments.
- Train HR teams to recognize social engineering red flags (e.g., overly generic resumes).
For recruiters, live video interviews can help verify candidate identities, while endpoint detection tools should monitor for anomalous process injections linked to More_eggs7.
Conclusion
The FIN6 campaign underscores the growing sophistication of recruitment-based attacks. As threat actors exploit trust in hiring processes, organizations must balance operational efficiency with robust verification protocols. Future adaptations may include deepfake interviews or AI-generated resumes, necessitating proactive defense measures.
References
- “Fake Job Applications Deliver Dangerous More_eggs Malware,” The Hacker News, Oct. 2024. [Online]. Available: https://thehackernews.com/2024/10/fake-job-applications-deliver-dangerous.html
- “Attackers Targeting Recruiters with More_eggs Backdoor,” DarkReading, Aug. 2019. [Online]. Available: https://www.darkreading.com/threat-intelligence/attackers-targeting-recruiters-with-moreeggs-backdoor
- “DPRK Hackers Masquerade as Tech Recruiters, Job Seekers,” DarkReading, Nov. 2023. [Online]. Available: https://www.darkreading.com/threat-intelligence/dprk-hackers-masquerade-as-tech-recruiters-job-seekers
- EliminaDatos, “Cybersecurity Alert: Malware via Job Scams,” LinkedIn, Aug. 2024. [Online]. Available: https://www.linkedin.com/posts/elimina-datos_cybersecurity-malware-technews-activity-7250041386010312705-IxHL
- Brady Phenicie, “Lazarus Group Impersonates Capital One Recruiters,” LinkedIn, July 2024. [Online]. Available: https://www.linkedin.com/posts/brady-phenicie-6847356_cybersecurity-hackeralert-technews-activity-7240031455974670340-PVrg
- “Remote Recruitment Used as Backdoor by Cybercriminals,” My Recruiter Jobs, May 2025. [Online]. Available: https://myrecruiterjobs.com/resources/news/remote-recruitment-used-as-backdoor-by-cybercrimin/425
- “Hackers Posing as Job Candidates: What Employers Need to Know,” Recruiter.com, 2019. [Online]. Available: https://www.recruiter.com/recruiting/hackers-posing-as-job-candidates-what-employers-need-to-know
