FIN6 cybercriminals pose as job seekers on LinkedIn to hack recruiters

Cybercriminals from the long-running FIN6 group are posing as job seekers on platforms like LinkedIn to infect recruiters with malware delivered through fake resumes, according to a new report.

Recruitment scams are common among cybercrime gangs, but this is a new tactic for FIN6, which is better known for stealing payment card data and breaching point-of-sale (PoS) systems in the hospitality and retail sectors, researchers at security firm DomainTools said.

In their latest campaign, the hackers — also tracked as Skeleton Spider — initiate interactions with recruiters on platforms such as LinkedIn and Indeed and, after gaining their trust, send malicious phishing emails that deliver a backdoor known as MoreEggs.

The phishing emails are professionally written and contain no clickable links — forcing recipients to manually type a URL, which helps the messages bypass security filters. The links direct recruiters to landing pages that mimic personal resume portfolios.

These sites are hosted on trusted cloud infrastructure, including Amazon Web Services (AWS), to evade detection. The landing pages use traffic filtering and CAPTCHA to ensure that only human recruiters — rather than automated analysis tools — are targeted with the malware.

Once the visitor is verified, the site delivers a malicious ZIP file containing the MoreEggs backdoor. This tool was developed by a threat actor tracked as Venom Spider and is sold as malware-as-a-service. FIN6 uses it to access the targeted system, steal credentials and carry out ransomware attacks.

FIN6 has been active since at least 2015 and has sold millions of payment card numbers on underground criminal marketplaces. The group’s latest recruitment scams confirm that its focus is shifting to broader enterprise threats, including ransomware operations, researchers said.