top of page
Search

Skeleton Spider’s Social Engineering Blitz: FIN6 Hackers Target Job Recruiters with Cloud-Housed Malware

Update June 11: An AWS spokesperson provided a statement on this report: "AWS has clear terms that require our customers to use our services in compliance with applicable laws. When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content. We value collaboration with the security research community and encourage researchers to report suspected abuse to AWS Trust & Safety through our dedicated abuse reporting process." A long-standing cybercrime group with a knack for adaptation is back in the headlines—this time with a campaign that weaponizes job hunting. Skeleton Spider, more commonly known as FIN6, has evolved from targeting point-of-sale systems to deploying stealthy malware via personalized social engineering that preys on recruiters’ trust.


Once notorious for massive payment card breaches, FIN6 has since expanded its attack repertoire to include ransomware, malware-as-a-service, and now, deeply personalized phishing campaigns that blur the line between cybercrime and social manipulation.


The New Job Scam: Less Spray-and-Pray, More Handshake-and-Hack


Instead of blasting out generic phishing emails, FIN6 begins by engaging recruiters on platforms like LinkedIn and Indeed. Posing as eager job applicants, the attackers initiate contact, build rapport over days or even weeks, and then pivot to send a polished resume—one that comes with a hidden payload.


“This is an interesting twist to the common recruiting scam,” said Erich Kron, Security Awareness Advocate at KnowBe4. “It’s especially dangerous because the attackers take time to build a rapport before springing the trap.”


What follows is not your typical malicious link. Instead, the attacker sends a message with a non-clickable domain like bobbyweisman[.]com, forcing the recipient to manually type it in—slipping past link scanners and email filters in the process.


Once there, the recruiter lands on a sleek resume site hosted on cloud infrastructure like AWS, complete with CAPTCHA verification and traffic filtering that weeds out anything resembling a security tool or VPN. If the recruiter clears these digital checkpoints, they’re offered a ZIP file download—purportedly a resume, but in fact the delivery mechanism for More_eggs, a modular JavaScript backdoor sold as malware-as-a-service.


A Familiar Backdoor, Delivered with Surgical Precision


The More_eggs malware, linked to another threat group known as “Venom Spider,” installs via a disguised .LNK shortcut in the ZIP file. When launched, it leverages native Windows tools—like wscript.exe—to execute JavaScript and begin the infection chain. The backdoor can steal credentials, execute commands, and act as a launchpad for ransomware or further compromise.


This is a textbook case of Living Off the Land Binaries (LOLBins)—a method that uses legitimate Windows utilities to avoid raising alarms.


“FIN6... have compromised point-of-sale systems, expanded into ransomware, and now use social engineering to deliver JavaScript backdoors,” said Andrew Costis, Engineering Manager at AttackIQ. “This vast pool of experience makes them especially threatening to unprotected data.”


Obfuscation at Every Layer


Beyond the malicious payload, the infrastructure itself is deceptively clean. Domains like kimberlykamara[.]com and annalanyi[.]com appear benign—mimicking the format of personal portfolio sites and registered through GoDaddy with domain privacy shielding ownership details.


All confirmed domains—hosted on AWS—use layers of fingerprinting to control access. If you’re a corporate network, a sandboxed browser, or connected via VPN, you’ll only see a harmless version of the page. Only visitors matching a recruiter’s digital fingerprint (Windows OS, residential IPs, common browsers) will reach the malware.


The Economics of Deception


What makes this campaign particularly effective is its low overhead. AWS’s free tier and domain privacy services allow FIN6 to spin up temporary infrastructure quickly, while recycled domain names and traffic filtering stretch the lifespan of each site. The operation runs on a lean, cost-effective model—one that delivers high returns in stolen credentials and lateral access inside enterprise networks.


Defensive Playbook: What Needs to Change


This isn’t a problem IT alone can solve. HR departments and recruiters—often outside the cybersecurity periphery—are now frontline targets.


For recruiters and general staff:


  • Don’t type in URLs from unknown senders, even if they look professional.


  • Be cautious with CAPTCHA-protected resume sites.


  • Treat any ZIP file from a non-internal source as suspicious—especially if it contains .LNK shortcuts.


For security teams:


  • Monitor DNS and traffic for newly registered domains or those with recent ownership changes.


  • Block execution of .LNK files inside compressed attachments from unverified sources.


  • Detect use of LOLBins like wscript.exe and monitor registry keys for persistence tactics.


  • Implement endpoint detection policies that flag script engine abuse and schedule irregularities.


Why This Matters


FIN6’s evolution into social-first, cloud-enabled malware operations highlights a bigger trend: sophisticated attackers don’t need high-complexity exploits when low-complexity, high-trust lures work just as well. Their tactics are subtle, scalable, and specifically engineered to outsmart both technology and human instincts.


As digital interactions become increasingly intimate and professional, cybersecurity has to follow suit. It's not just about blocking payloads anymore—it's about questioning context.


Recruiters are now threat targets. Domains can wear human names like masks. And a CAPTCHA might not be proving you’re human—it might be confirming you’re a victim.


Stay skeptical. Stay trained. And yes—double-check that resume.

bottom of page