Posing as Job Seekers on Professional Platforms

A criminal gang that security researchers know as FIN6 has begun taking advantage of the job-hunting world in a new way. According to a fresh investigation from DomainTools, the group is approaching recruiters on popular employment sites such as LinkedIn and Indeed, pretending to be ordinary applicants who are simply looking for work. Once a conversation gets going, the crooks send the recruiter a link that supposedly hosts the applicant’s résumé. The link looks harmless enough—it even carries a convincing personal-portfolio address like bobbyweisman [.]com or ryanberardi [.]com—but behind the scenes it leads to malware.

Renting the Cloud to Hide in Plain Sight

The trick works because the malicious sites sit on infrastructure that businesses already trust. FIN6 registers the domains with GoDaddy, then hosts them on Amazon Web Services, often through EC2 instances or S3 buckets. Both services are household names in the tech world, so web-filtering tools rarely block them. FIN6 also pays extra for GoDaddy’s privacy add-on, which hides the real owner’s name and contact data. That small fee makes it far harder for investigators or hosting providers to shut the operation down quickly.

The attackers build in another layer of defense by filtering who can reach the dangerous download. A visitor must solve a CAPTCHA before the site serves up anything more than a blank résumé in plain text. Even then, the server quietly checks the visitor’s location and browser. If the request comes from a home IP address and a normal Windows browser, the ZIP archive is offered. If the request arrives from a corporate network, cloud host, or known VPN, the visitor sees only the benign document. This selective approach dodges automated scanners and keeps the malicious file out of threat-intelligence feeds.

The More_eggs Backdoor and What It Can Do

Hidden inside the downloaded ZIP file is a piece of code known as More_eggs, created by another underground crew, Golden Chickens (also called Venom Spider). More_eggs is written in JavaScript, which means it can run on a victim’s machine without needing special privileges. Once active, it opens a secret channel back to the attackers. Through that channel FIN6 can grab usernames and passwords, move laterally across the network, or fetch additional tools—sometimes even ransomware.

Security experts have tied FIN6 to More_eggs going back to 2018. The gang’s older campaigns often hit hotels and retail chains that still used point-of-sale (PoS) systems for card transactions. By sneaking malware onto those PoS terminals, the criminals collected payment-card data in real time and later sold the numbers on black-market forums like JokerStash, which closed in 2021. FIN6 has also dabbled in Magecart-style skimming: inserting tiny snippets of JavaScript into online checkout pages to siphon card numbers from web shoppers. In every case the end goal is simple—turn stolen financial details into cash.

Why the Scam Works

FIN6’s latest move shows that even a low-tech lure—sending someone a résumé—can score big when paired with modern cloud services and clever evasion. Recruiters are trained to open candidate documents quickly, and many use personal machines or simple antivirus tools that might not catch a brand-new sample of malware. The CAPTCHA wall fuels a sense of legitimacy (“everyone uses CAPTCHA these days”) while quietly filtering out sandbox environments that analysts rely on. By keeping the initial stage small and trustworthy, the attackers avoid tripping alarms until they already have a foothold.

Fallout for Victims and Defenders

Once More_eggs is embedded, the door is open for far more damaging follow-up actions. FIN6 can harvest credentials to corporate email, cloud services, or payment systems. Ransomware operators, who often partner with groups like FIN6, can then lock down a company’s data and demand a payout. Even if no ransom is dropped, the theft of customer card data carries steep regulatory fines and reputational harm. For recruiters and HR departments, the episode serves as a reminder that the hiring workflow itself is now a soft target.

Defenders have a few angles to fight back. Blocking newly registered domains from serving executable files is one. Restricting résumé submissions to trusted cloud drives—where files can be scanned in isolation—helps too. Perhaps most important is teaching anyone who handles résumés to treat every unexpected download link with suspicion, even if the sender appears polished and professional.

Looking Ahead

FIN6 has been active since at least 2012 and shows no sign of slowing down. By mixing ordinary social skills with rented cloud power, the group demonstrates that modern attacks do not always rely on exotic zero-day exploits. Sometimes all it takes is a believable backstory, a familiar hosting brand, and a few lines of JavaScript. As long as recruiters continue to value speed over caution, and as long as cloud services remain easy to spin up anonymously, tactics like fake résumés delivered through AWS will likely stay in the attacker’s playbook.