FIN6 phishing campaign uses fake resumes and AWS infrastructure to deploy malware through trusted platforms like LinkedIn and Indeed.
FIN6, also known as Skeleton Spider, has evolved from targeting point-of-sale systems to deploying advanced phishing campaigns aimed at recruiters. By posing as job applicants on platforms like LinkedIn and Indeed, the group gains trust before sharing links to fake resume sites hosted on AWS infrastructure. These sites use CAPTCHA barriers and traffic filtering to evade detection, delivering ZIP files containing disguised .LNK shortcuts that execute the more_eggs backdoor. This malware-as-a-service tool enables credential theft, system access, and follow-on attacks such as ransomware. Domains like bobbyweisman[.]com and emersonkelly[.]com demonstrate the use of cloud-hosted infrastructure with behavioral checks to ensure only real users receive payloads.
Analysis by Our Experts:
The FIN6 campaign highlights how even modest phishing efforts can achieve sophisticated results when paired with modern infrastructure and well-crafted social engineering. While the abuse of platforms like Indeed and LinkedIn poses challenges, this also underscores where defenders can concentrate efforts: identity validation, behavioral traffic analysis, and improved recruiter training. The use of CAPTCHAs, fingerprinting, and resume-styled lures shows how attackers innovate with simple tools. Encouragingly, every tactic used here leaves a detectable footprint, persistence keys, cloud domains, and PowerShell misuse. With cross-team collaboration between HR and security teams, organizations can turn these tactics into high-confidence detection opportunities.
Read the full article here.
