Job recruiter hunting: the More_eggs trap
- Javier Conejo del Cerro
- 13 jun
- 2 Min. de lectura
A new phishing campaign targeting human resources and talent acquisition departments is delivering a malicious JavaScript backdoor hidden inside fake résumés. The operation, attributed to FIN6, uses personal portfolio-style links hosted on AWS to deliver the More_eggs malware. What begins as an innocent hiring conversation on LinkedIn or Indeed can quickly escalate into credential theft, system compromise, and ransomware.
The Human Targets Behind the Hiring
The victims in this campaign are HR professionals, recruiters, and talent managers—especially those working within large or high-profile companies. In the course of reviewing applicants, these individuals often receive and open links to personal websites and portfolios. The attackers exploit this openness and trust by posing as highly qualified candidates with well-presented backgrounds and custom résumé links.
By initiating genuine conversations on platforms like LinkedIn or Indeed, FIN6 builds credibility before sharing a link that appears to host a résumé. Unaware of the threat, the recruiter clicks the link, believing it to be a standard part of the hiring process. The threat actor has weaponized this routine behavior, transforming it into a high-risk interaction.
From Résumé Link to Ransomware Door
The attack begins when the recruiter clicks a phishing link masquerading as a candidate’s portfolio. These links lead to fake résumé websites hosted on Amazon Web Services (AWS), using services such as EC2 and S3. CAPTCHA filters and traffic verification logic are deployed to evade detection—if the visitor is identified as coming from a corporate scanner, VPN, or cloud service, the page serves a harmless version of the document. But if accessed from a residential IP address and a common Windows-based browser, a ZIP file is delivered.
Inside that archive is the More_eggs malware—a JavaScript-based backdoor originally developed by the Golden Chickens group. Once opened, More_eggs grants attackers access to the victim’s credentials, browser-stored passwords, and system information. This initial compromise enables a range of follow-on attacks, including lateral movement, data exfiltration, and the deployment of ransomware payloads.
FIN6, also known as Skeleton Spider or TA4557, has a long history of monetizing such access, previously through POS breaches, Magecart skimming, and carding markets. The use of More_eggs represents a continued evolution in their tactics, leveraging social engineering and cloud infrastructure to bypass traditional defenses.
Staying Ahead of the Threat
Organizations must adopt hiring workflows that include strong security oversight. To counter threats like this, several proactive measures are essential:
Train HR and recruiting teams to recognize suspicious résumé links, especially those that lead to personal domains or request ZIP downloads.
Block or flag personal portfolio domains shared in job applications, particularly if hosted on cloud infrastructure such as AWS EC2 or S3.
Inspect all ZIP files received during the recruitment process using sandboxing and deep scanning tools to detect embedded malware.
Implement behavioral monitoring within recruiting systems to detect anomalies, such as access to sensitive resources following résumé downloads or unexpected command execution.
Update phishing detection rules to account for CAPTCHA-gated payloads and cloud-hosted links that evade conventional security scanners.
FIN6 is not simply exploiting a technical vulnerability, but a human one—relying on the trust, routine, and urgency that characterize modern hiring. As cybercriminal groups continue to weaponize professional platforms, security must become as embedded in recruitment as it is in IT infrastructure.
Comments