**FIN6 Exploits Cloud Infrastructure in Sophisticated HR-Targeted Phishing Campaign**
The financially motivated cybercrime group FIN6 (also known as Skeleton Spider) is leveraging fake job applications and trusted cloud services to target human resources (HR) professionals in a highly evasive social engineering campaign. Researchers at DomainTools uncovered the operation, which combines professional networking platforms like LinkedIn and Indeed with malware-hosted cloud infrastructure to bypass traditional security defenses.
How the Attack Works
- Initial Contact – Attackers pose as job seekers on professional platforms, engaging recruiters to build rapport before sending phishing emails with malicious links.
- Fake Resume Sites – Domains mimicking real applicant names (e.g., bobbyweisman[.]com, ryanberardi[.]com) are registered via GoDaddy’s anonymous services and hosted on AWS EC2 or S3, blending into legitimate cloud traffic.
- Sophisticated Evasion – The sites employ traffic filtering to distinguish targets from security researchers, checking IP reputation, geolocation, OS, and browser fingerprints. Only residential Windows users bypass CAPTCHA walls to receive malicious ZIP files containing the More_eggs backdoor.
- Malware Deployment – More_eggs, a modular JavaScript backdoor, operates in memory to evade detection, enabling credential theft, command execution, and follow-on attacks, including ransomware deployment.
Why HR is a Prime Target
HR teams frequently interact with external contacts and handle unsolicited communications, making them vulnerable to social engineering. The campaign exploits this trust, using realistic job lures to bypass email filters and endpoint security. FIN6’s shift from point-of-sale (POS) breaches to enterprise ransomware underscores its evolution toward higher-value targets.
Cloud Abuse & Detection Challenges
Attackers favor AWS and other cloud platforms due to:
- Low-cost setup (free-tier abuse or compromised billing accounts).
- Trusted IP ranges that evade enterprise network filters.
- Scalability for hosting malicious infrastructure.
The campaign highlights gaps in perimeter-based security, as traditional defenses struggle to detect threats embedded in legitimate cloud services. Security teams are advised to monitor for unusual traffic patterns and suspicious file types linked to cloud-hosted malware.
AWS Response & Broader Implications
An AWS spokesperson stated the company enforces terms prohibiting illegal use and acts swiftly on abuse reports. However, the incident raises questions about balancing cloud accessibility with security controls, particularly as threat actors increasingly exploit trusted infrastructure.
FIN6’s operation demonstrates how low-complexity phishing, when paired with cloud evasion techniques, can outmaneuver even advanced detection tools—reinforcing the need for holistic security strategies that address both technical and human vulnerabilities.
LinkedIn cybersecurity rating report: https://www.rankiteo.com/company/linkedin
AWS Partners cybersecurity rating report: https://www.rankiteo.com/company/aws-partners
"id": "LINAWS1766995316",
"linkid": "linkedin, aws-partners",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Multiple (cross-industry)',
'location': 'Global (targeting HR professionals via '
'LinkedIn/Indeed)',
'type': 'Organizations with HR departments'}],
'attack_vector': 'Phishing emails with malicious links, fake resume '
'portfolios hosted on AWS',
'data_breach': {'data_exfiltration': 'Possible (More_eggs malware enables '
'follow-on attacks)',
'file_types_exposed': 'Malicious ZIP files containing '
'JavaScript-based malware (More_eggs)',
'personally_identifiable_information': 'Yes (credentials, HR '
'data)',
'sensitivity_of_data': 'High (PII, credentials, HR data)',
'type_of_data_compromised': 'Credentials, personally '
'identifiable information (PII), '
'sensitive employee data'},
'description': 'The financially motivated cybercrime group FIN6, also known '
'as Skeleton Spider, is targeting human resources '
'professionals with an elaborate social engineering scheme '
'that uses fake job applications to deliver malware. The '
'campaign involves attackers posing as job seekers on '
'professional platforms like LinkedIn and Indeed, building '
'rapport with recruiters before following up with phishing '
'emails containing malicious resume links. The fake resume '
'sites employ sophisticated traffic filtering to deliver the '
'More_eggs backdoor malware, which enables credential theft, '
'system access, and follow-on attacks.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'compromised HR processes',
'data_compromised': 'Credentials, sensitive employee data, system '
'access',
'identity_theft_risk': 'High (credential theft, PII exposure)',
'operational_impact': 'Potential disruption of HR operations, '
'follow-on attacks (e.g., ransomware)',
'systems_affected': 'HR systems, corporate networks'},
'initial_access_broker': {'backdoors_established': 'More_eggs malware '
'(JavaScript backdoor)',
'entry_point': 'LinkedIn, Indeed (professional '
'networking platforms)',
'high_value_targets': 'HR professionals, '
'recruiters'},
'lessons_learned': 'Traditional perimeter security is insufficient against '
'social engineering tactics. Organizations must adopt '
'holistic security strategies that account for human '
'factors alongside technological defenses. HR personnel '
'are increasingly targeted due to their regular '
'interaction with external contacts.',
'motivation': 'Financial gain, credential theft, follow-on attacks (e.g., '
'ransomware deployment)',
'post_incident_analysis': {'corrective_actions': ['Implement stricter '
'verification for external '
'communications (e.g., '
'resume submissions).',
'Enhance monitoring for '
'cloud-hosted phishing '
'sites using trusted IP '
'ranges.',
'Train HR personnel on '
'social engineering risks '
'and phishing tactics.',
'Adopt layered security '
'defenses (e.g., behavioral '
'WAF, network '
'segmentation).',
'Collaborate with cloud '
'providers to report and '
'disable abusive content.'],
'root_causes': ['Exploitation of trust in '
'professional networking platforms '
'(LinkedIn/Indeed).',
'Abuse of trusted cloud '
'infrastructure (AWS EC2/S3) to '
'host malicious content.',
'Sophisticated traffic filtering '
'to evade detection (IP '
'reputation, geolocation, OS '
'fingerprinting).',
'Use of CAPTCHA to bypass '
'automated security scanners.',
'Lack of verification procedures '
'for external communications in HR '
'workflows.']},
'ransomware': {'data_exfiltration': 'Possible (More_eggs enables follow-on '
'attacks)'},
'recommendations': ['Implement comprehensive training programs for HR '
'personnel on phishing and social engineering risks.',
'Adopt additional verification procedures for resume '
'submissions and external communications.',
'Enhance monitoring for unusual traffic patterns or file '
'types (e.g., ZIP files from unexpected sources).',
'Use layered defenses (e.g., behavioral WAF, network '
'segmentation) to detect and block malicious activity.',
'Report abuse of cloud services (e.g., AWS) to platform '
'providers for takedown.',
'Maintain vigilance for cloud-hosted phishing sites using '
'trusted IP ranges.'],
'references': [{'source': 'DomainTools Research'},
{'source': 'AWS Spokesperson Statement'}],
'response': {'containment_measures': 'AWS Trust & Safety abuse reporting '
'process, disabling prohibited content',
'enhanced_monitoring': 'Recommended (vigilance for unusual '
'traffic patterns or file types)',
'remediation_measures': 'Layered defenses, enhanced monitoring '
'for unusual traffic patterns/file '
'types, additional verification '
'procedures for resume submissions'},
'threat_actor': 'FIN6 (Skeleton Spider)',
'title': 'FIN6 Skeleton Spider Campaign Targeting HR Professionals via Fake '
'Job Applications',
'type': 'Phishing/Social Engineering, Malware Delivery',
'vulnerability_exploited': 'Human psychology (trust in job applications), '
'abuse of trusted cloud infrastructure (AWS '
'EC2/S3)'}