\n<\/p>\n
The financially motivated threat actor known as **FIN6** has been observed leveraging fake resumes hosted on Amazon Web Services (AWS) infrastructure to deliver a malware family called More_eggs.<\/p>\n
“By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware,” the DomainTools Investigations (DTI) team said in a report shared with The Hacker News.<\/p>\n
More_eggs is the work of another cybercrime group called Golden Chickens (aka Venom Spider), which was most recently attributed to new malware families like TerraStealerV2 and TerraLogger. A JavaScript-based backdoor, it’s capable of enabling credential theft, system access, and follow-on attacks, including ransomware.<\/p>\n
One of the malware’s known customers is FIN6 (aka Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557), an e-crime crew that originally targeted point-of-sale (PoS) systems in the hospitality and retail sectors to steal payment card details and profit off them. It’s operational since 2012.<\/p>\n
<\/p>\n
The hacking group also has a history of using Magecart JavaScript skimmers to target e-commerce sites to harvest financial information.<\/p>\n
According to payment card services company Visa, FIN6 has leveraged More_eggs as a first-stage payload as far back as 2018 to infiltrate several e-commerce merchants and inject malicious JavaScript code into the checkout pages with the ultimate goal of stealing card data. <\/p>\n
“Stolen payment card data is later monetized by the group, sold to intermediaries, or sold openly on marketplaces such as JokerStash, prior to it shutting down in early 2021,” Secureworks notes in a profile of the threat actor.<\/p>\n
The latest activity from FIN6 involves the use of social engineering to initiate contact with recruiters on professional job platforms like LinkedIn and Indeed, posing as job seekers to distribute a link (e.g., bobbyweisman[.]com, ryanberardi[.]com) that purports to host their resume.<\/p>\n
DomainTools said the bogus domains, which masquerade as personal portfolios, are registered anonymously through GoDaddy for an extra layer of obfuscation that makes attribution and takedown efforts more difficult.<\/p>\n
“By exploiting GoDaddy’s domain privacy services, FIN6 further shields the true registrant details from public view and takedown team,” the company said. “Although GoDaddy is a reputable and widely used domain registrar, its built-in privacy features make it easy for threat actors to hide their identities.”<\/p>\n
Another noteworthy aspect is the use of trusted cloud services, such as AWS Elastic Compute Cloud (EC2) or S3, to host phishing sites. What’s more, the sites come with built-in traffic filtering logic to ensure that only prospective victims are served a link to download the supposed resume after completing a CAPTCHA check.<\/p>\n
<\/p>\n
“Only users appearing to be on residential IP addresses and using common Windows-based browsers are allowed to download the malicious document,” DomainTools said. “If the visitor originates from a known VPN service, cloud infrastructure like AWS, or corporate security scanners, the site instead delivers a harmless plain-text version of the resume.”<\/p>\n
The downloaded resume takes the form of a ZIP archive that, when opened, triggers an infection sequence to deploy the More_eggs malware.<\/p>\n
“FIN6’s Skeleton Spider campaign shows how effective low-complexity phishing campaigns can be when paired with cloud infrastructure and advanced evasion,” the researchers concluded. “By using realistic job lures, bypassing scanners, and hiding malware behind CAPTCHA walls, they stay ahead of many detection tools.”<\/p>\n
Found this article interesting? Follow us on Twitter _\uf099_ and LinkedIn to read more exclusive content we post.\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware Update ID THN:6FF8AC81AB57BED8A5E8DAD73315BDD9 Type thn Published 2025-06-10T16:46:00 Last…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,13,33,7,11,43,5],"class_list":["post-6708","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n
FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=6708\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware Update ID THN:6FF8AC81AB57BED8A5E8DAD73315BDD9 Type thn Published 2025-06-10T16:46:00 Last...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=6708\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-11T09:18:32+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6708#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6708\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware\",\"datePublished\":\"2025-06-11T09:18:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6708\"},\"wordCount\":679,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"thn\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=6708#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6708\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6708\",\"name\":\"FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-06-11T09:18:32+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6708#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=6708\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6708#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=6708","og_locale":"en_US","og_type":"article","og_title":"FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware - zero redgem","og_description":"Security Update News Update Information Title FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware Update ID THN:6FF8AC81AB57BED8A5E8DAD73315BDD9 Type thn Published 2025-06-10T16:46:00 Last...","og_url":"https:\/\/zero.redgem.net\/?p=6708","og_site_name":"zero redgem","article_published_time":"2025-06-11T09:18:32+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=6708#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=6708"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware","datePublished":"2025-06-11T09:18:32+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=6708"},"wordCount":679,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","news","NONE","Security","tapic","thn","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=6708#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=6708","url":"https:\/\/zero.redgem.net\/?p=6708","name":"FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-06-11T09:18:32+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=6708#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=6708"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=6708#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/6708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6708"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/6708\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}