Fraud Management & Cybercrime
,
Social Engineering
Russian Speaking Hackers FIN6 Flip Job Fraud Script

Financially-motivated hackers tracked as FIN6 have flipped the script on job fraud, impersonating job seekers to phish recruiters and deploy stealthy malware through fake resumes hosted on trusted cloud platforms.
See Also: Live Webinar | AI-Powered Defense Against AI-Driven Threats
Researchers from DomainTools found the Russian-speaking group, also known as Skeleton Spider, engages recruiters on LinkedIn and Indeed with realistic resumes and professional interactions. The goal is to deliver malware payloads using cloud-hosted infrastructure that evades traditional detection tools.
Hackers for years have posed as recruiters in a bid to entice job seekers into downloading malware, often putatively as part of a test. North Korean hackers in particular have used the method, but they’ve been joined by others inspired by their example (see: Iranian Threat Actors Mimic North Korean Job Scam Techniques).
Once infamous for retail point-of-sale breaches, FIN6 has evolved its playbook several times since becoming active in 2014. It’s delivered perhaps the ultimate twist on job scams, building rapport with recruiters rather than pursuing individual employment hunters. The scam goes into high gear by sending phishing messages that reference non-clickable resume URLs. That forces recruiters to manually enter the URLS into browsers – sidestepping email security tools that flag embedded links.
The web domains, registered anonymously and styled to resemble legitimate applicant names, host landing pages disguised as portfolio sites. The pages are built on Amazon Web Services infrastructure and feature traffic filtering techniques that determine whether to deliver malware or harmless decoys.
Only users appearing to be human, such as connections that originate from residential IPs, use typical Windows-based browsers and pass Captcha tests receive a zip file. The archive contains a malicious .lnk shortcut disguised as a resume. Once clicked, it triggers the download of the more_eggs backdoor, JavaScript-based malware linked to another cybercrime group, Venom Spider.
The more_eggs malware executes entirely in memory, enabling credential theft, remote command execution and potential ransomware delivery. It uses native Windows utilities like wscript.exe
, regsvr32.exe
and msxsl.exe
to avoid triggering security alerts, a technique known as living of the land, or using LOLBins.
FIN6 also establishes persistence via Windows registry keys and scheduled tasks.
Confirmed domains involved in the campaign include davidlesnick.com
, kimberlykamara.com
, alanpower.net
, and others, all hosted on AWS.