Linkedin and AWS logo with fake remark and malware sign on PC

FIN6 is using fake resumes hosted on AWS to deliver More_eggs malware, targeting recruiters on LinkedIn.

The financially motivated cybercriminal group FIN6 is using fake resumes, hosted on Amazon Web Services (AWS), to deliver the More_eggs malware. They are targeting recruiters on platforms like LinkedIn and Indeed.

FIN6 initiates contact with recruiters, posing as job seekers, and then sends phishing messages containing links to what appears to be their resume. These links lead to malicious websites hosted on AWS.

The More_eggs malware, a JavaScript-based backdoor, is supplied by the Golden Chickens group. It allows for credential theft, system access, and further attacks like ransomware deployment. FIN6 has been using More_eggs since at least 2018 to steal payment card data from e-commerce sites by injecting malicious JavaScript code.

The fake resume websites are designed to evade detection. They use GoDaddy's privacy services to hide the domain registration details and filter traffic to only serve the malicious payload to likely victims. If the site detects a VPN, cloud infrastructure (like AWS), or security scanners, it delivers a harmless, plain-text version of the resume. The malicious resume is delivered as a ZIP archive, which, when opened, infects the system with More_eggs.

DomainTools researchers emphasize that this campaign highlights the effectiveness of combining simple phishing techniques with cloud infrastructure and advanced evasion tactics. By using realistic job lures and CAPTCHA walls, FIN6 successfully bypasses many security detection tools.