top of page

Hackers Are Coming for HR: How Venom Spider Weaponized the Hiring Process

In the ever-escalating arms race between cybercriminals and defenders, one department is emerging as an unlikely frontline: Human Resources. A new campaign uncovered by Arctic Wolf Labs reveals that Venom Spider, a financially motivated cybercrime group, is turning hiring managers into prime targets—with a malicious twist on the humble job application.


The group’s latest tactic exploits the one thing every company needs: new employees. Using spear-phishing emails disguised as job applications, Venom Spider delivers a weaponized backdoor called More_eggs to unsuspecting recruiters and HR staff. Once installed, the malware opens a Pandora’s box of possibilities for attackers, enabling credential theft, intellectual property espionage, and even payment data harvesting.


“HR, in general, has become a hotbed for scammers and malicious never-do-wells,” said Roger Grimes, data-driven defense evangelist at KnowBe4. “We’ve got fake employees, fake employers, outgunned recruiters, and paid advertising by malicious hackers entering the hiring ecosystem in a way that has never been before. It’s nation-state level stuff, highly resourced, and coming for your company for sure!”


A Trojan Resume


According to Arctic Wolf, the campaign begins with an email sent directly to a recruiter, containing a link to download an applicant’s resume. But instead of a CV, the link directs to a website under Venom Spider’s control—complete with a CAPTCHA to bypass automated scanners. Once solved, the recruiter downloads a zip file containing a malicious Windows shortcut (.lnk) and a decoy image.


Clicking the shortcut triggers a stealthy chain reaction: an obfuscated script launches a benign-looking WordPad window to distract the user, while quietly executing hidden commands using a legitimate Windows utility. This “living-off-the-land” approach leverages trusted system tools to avoid detection by endpoint security software.


But the real payload is still waiting in the wings. The initial script reaches out to a remote server to download More_eggs_Dropper, a polymorphic loader designed to morph with each victim. Every time it runs, it generates a unique JavaScript payload embedded with encrypted data, making automated analysis a nightmare for defenders.


Malware With Staying Power


This latest variant of More_eggs shows significant upgrades from past campaigns. Arctic Wolf’s analysis uncovered a new decryption technique requiring device-specific keys, combining hardcoded strings with unique hardware identifiers like the processor ID. This ensures that the malware payload can only be decrypted on the intended victim’s machine, frustrating sandbox and virtual analysis tools.


Once activated, More_eggs quietly reports back to a command-and-control server, gathering details such as the victim’s OS version, local IP address, antivirus presence, and system architecture. Every three minutes, it checks in for instructions, awaiting commands to download additional malware, execute remote code, or wipe its tracks entirely.


The infrastructure supporting this campaign reflects an evolution in attacker sophistication. Venom Spider has embraced cloud hosting, anonymous domain registration, and subdomain chaining to obscure its operations from cybersecurity researchers and scanning tools like Shodan.


Why HR Is Now a Prime Target


Venom Spider’s shift to targeting recruiters is no coincidence. HR teams are uniquely vulnerable because reviewing attachments from unknown senders is literally their job. Unlike finance or IT staff, HR personnel are expected to open resumes, cover letters, and portfolios daily—making them a natural weak link in the corporate security chain.


Grimes warns this vulnerability requires a rethink of security priorities. “When doing cybersecurity risk management, I’d put anyone in the HR hiring path… on the list of your highest risk employees, alongside the previously identified high-risk positions in IT, C-level employees, and accounts payable,” he said.


Arctic Wolf recommends that organizations bolster security awareness training for HR teams, focusing specifically on phishing tactics involving job applications. Implementing Secure Email Gateways, deploying Endpoint Detection and Response solutions, and educating employees to scrutinize suspicious file types—such as .lnk, .iso, and .vbs files—are critical steps to closing this gap.


A Glimpse Into the Future


The More_eggs campaign underscores a growing trend in cybercrime: attackers are no longer just exploiting technology—they’re exploiting trust. By hijacking the very processes companies rely on to grow and operate, threat actors like Venom Spider are weaponizing business workflows in ways that evade traditional defenses.


And as Grimes bluntly puts it, “This is far from a new tactic, but is definitely getting more use by malicious hackers… They have become a target of choice.”


For companies looking to fill roles amid a tight labor market, the warning is clear: every resume could be a potential Trojan horse. The hiring process itself has become a battleground—and HR, whether they like it or not, is on the front line.

bottom of page