FIN6 hackers pose as job seekers to infiltrate recruiters' systems

A cybercriminal group is flipping the script on hiring scams, posing as applicants to infect recruiters with malware.

What happened

The FIN6 hacking group, also known as Skeleton Spider, has adopted a new strategy by impersonating job seekers to target HR departments and recruiters. Rather than posing as employers to scam applicants, they approach hiring professionals with convincing resumes and links to fake portfolio sites designed to deliver malware.

Researchers at DomainTools reported that these fake interactions often begin on legitimate job platforms like LinkedIn and Indeed, and escalate to phishing emails with resume site URLs. The malware deployed is a JavaScript-based backdoor called ‘More Eggs,’ which is capable of credential theft, system access, and deploying further malicious tools.

Going deeper

FIN6 has been active for years and is originally known for stealing credit card data via compromised point-of-sale systems. The group has since shifted to more complex operations, including ransomware deployment. In this campaign, attackers use trusted services like AWS to host phishing sites and obfuscate links to avoid detection. Recipients must manually enter the resume URLs in their browsers.

The domains used are themed around fake candidate names and are designed to show only malicious content to intended targets. The sites use behavioral checks and environmental fingerprinting, blocking connections from VPNs, Linux/macOS systems, or cloud services. Qualified victims are shown a fake CAPTCHA before being served a ZIP file containing a disguised Windows shortcut that downloads the ‘More Eggs’ backdoor.

This method allows attackers to bypass email filters and security tools while using low-tech but high-trust channels like job applications to gain access to enterprise systems.

What was said

DomainTools stated the effectiveness of this tactic, which preys on the routine work of recruiters and HR professionals. Their report outlines how the campaign is tailored to evade traditional defenses and relies on social trust.

In response to the findings, an Amazon Web Services spokesperson stated, “AWS has clear terms that require our customers to use our services in compliance with applicable laws... We act quickly to disable prohibited content and encourage security researchers to report suspected abuse.”

The big picture

The attack reflects the ongoing adaptation of social engineering tactics to target routine professional workflows. Recruiters, who are often left out of cybersecurity training, have become attractive entry points. The use of professional platforms, trust-based messaging, and stealthy malware techniques makes detection more challenging. Organizations may need to revisit both awareness training and technical safeguards, particularly around departments like HR that are not typically seen as frontline security risks.

FAQs

What is 'More Eggs' malware, and why is it dangerous?

More Eggs is a modular backdoor that allows attackers to execute commands, steal credentials, deploy ransomware, and control infected systems remotely. Its stealth and flexibility make it a preferred tool for advanced threat actors.

How does behavioral fingerprinting help hackers avoid detection?

Behavioral checks ensure that only intended targets, usually using Windows systems, see the malicious content. Others, including researchers or automated scanners, are served benign pages to avoid raising alarms.

Why are recruiters being targeted specifically?

Recruiters regularly open emails and files from unknown individuals and are less likely to question unusual file types or links, making them vulnerable entry points into larger organizations.

Can antivirus software catch this kind of attack?

Traditional antivirus may miss these attacks because the initial payload is disguised and hosted on trusted infrastructure. Behavioral detection, endpoint protection, and user training are more effective defenses.

What proactive steps should HR teams take to stay safe?

HR teams should verify candidate identities, avoid manually typing unknown URLs, disable automatic file execution in email clients, and report suspicious resumes or websites to IT or security teams immediately.