The CyberLens Newsletter
Posts
Infiltration by Imitation: How FIN6 Uses LinkedIn and AWS to Launch More_eggs Malware Campaigns

Infiltration by Imitation: How FIN6 Uses LinkedIn and AWS to Launch More_eggs Malware Campaigns

A Strategic Breakdown on the Threat of AWS-Hosted Fake Resumes Delivering Sophisticated Malware via Professional Networks

Devona Green Jordan
June 10, 2025

Sponsored by

Looking for unbiased, fact-based news? Join 1440 today.

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

Subscribe to 1440 today.

Interesting Tech Fact:

Some cybercriminal groups embed their malware in seemingly benign WAV audio files—a technique called steganography-based payload delivery. These files play normal audio but also contain hidden malicious code that activates only when specific software decodes the embedded instructions. Because audio files are rarely flagged by antivirus tools and often considered harmless, this method allows attackers to bypass traditional security filters and sneak into corporate systems undetected. It's a striking example of how creativity and deception fuel modern cyber threats.

When Trust Becomes a Vector

In the escalating theater of cyberwarfare, the battleground has shifted to where digital trust is highest — professional networks. Advanced Persistent Threat (APT) groups like FIN6, historically known for targeting point-of-sale systems and e-commerce environments, have evolved beyond traditional tactics. Their latest campaign leverages LinkedIn, Amazon Web Services (AWS), and fake resumes to distribute the More_eggs malware, a modular backdoor-as-a-service platform that turns the professional hiring process into a silent cyber siege.

What Is FIN6 and Why It Matters?

FIN6 is a financially motivated threat actor first identified in 2016, notorious for breaching retail and hospitality targets to steal payment card data. However, recent evolutions in their playbook signal a tactical upgrade. No longer confined to point-of-sale malware, FIN6 has shifted toward credential harvesting, lateral movement, and now, social engineering at scale via LinkedIn and cloud infrastructure.

What makes this operation particularly dangerous is its surgical targeting of high-value individuals — HR professionals, hiring managers, and business owners — who are least likely to suspect malicious intent from job applicants or resume attachments.

Anatomy of the More_eggs Malware Campaign

More_eggs developed by the Golden Chickens malware-as-a-service group, is a JavaScript-based backdoor that operates stealthily by hijacking legitimate Windows processes. It is modular, evasive, and devastating. Here’s how FIN6 leverages it:

Attack Chain Breakdown:

Reconnaissance Phase:

FIN6 profiles organizations on LinkedIn to identify decision-makers in HR, hiring, or management roles.
Fake LinkedIn accounts — complete with AI-generated profile pictures and plausible employment histories — are created to establish credibility.

Targets receive InMail messages or emails with subject lines like “Job Application for [Position Title]” or “Resume Submission - [Candidate Name]”.
These messages include links to AWS-hosted resume files, often disguised as PDFs or DOCs, but actually initiate scripts or downloaders.

Payload Delivery:

Clicking the link leads to the silent download of More_eggs via a malicious JavaScript file.
The malware uses Windows Management Instrumentation (WMI) and PowerShell to establish persistence.

Modular Exploits Activated:

Modules for credential stealing, keystroke logging, lateral movement, and data exfiltration are activated based on the target’s system configuration.

Command and Control (C2):

Communications with the attacker are obfuscated using HTTPS and legitimate cloud services like AWS or Azure as intermediaries.

Why This Matters to Business Executives

This campaign is not merely a technical threat — it’s a business continuity and brand trust issue. The abuse of LinkedIn and AWS, platforms your organization likely depends on, allows the attack to slip past perimeter defenses undetected. The following key risks emerge:

Credential Theft: Access to email, finance, HR, and customer databases.
Lateral Movement: From one compromised account, attackers move into finance, legal, or executive systems.
Data Breach Liability: Exposure of PII and sensitive business data leads to regulatory fines, lawsuits, and reputational damage.
Impersonation Risk: Stolen credentials may be used in follow-up phishing or supply chain attacks.

How FIN6 Is Weaponizing AWS and LinkedIn Trust?

This campaign showcases trust exploitation — leveraging LinkedIn’s credibility and AWS’s infrastructure to make attacks seem legitimate. Key aspects include:

AWS-hosted Files Appear Safe: Security systems often whitelist AWS URLs, allowing malicious resumes to bypass filters.
LinkedIn Messaging Is Perceived as Professional: LinkedIn’s tone and context make recipients more likely to engage.
Fake Profiles Using AI-Generated Photos: Avoids reverse-image search detection.

These layers create a near-perfect social engineering storm where the defense perimeter becomes the user’s perception, not technology.

Detection Challenges

Traditional email filters, anti-virus solutions, and even EDR systems often fail to catch More_eggs because:

Fileless Execution: No obvious malicious file is saved on disk.
Living-off-the-Land Techniques (LOLBins): Uses Windows tools like mshta.exe, wscript.exe, and powershell.exe.
Abuse of Legitimate Platforms: Hard to block AWS and LinkedIn domains without operational disruption.

This necessitates a paradigm shift in threat detection and response strategies.

Strategic Response Framework

CISOs, CTOs, and business leaders must rethink their cybersecurity posture using a three-tiered strategy:

1. Hardening Human Trust Layers

Conduct role-specific phishing simulations targeting HR and executive leadership.
Verify LinkedIn contacts before clicking resume links — even professional messages should be subject to zero trust.

2. Cloud and Endpoint Monitoring

Deploy XDR solutions that detect behavioral anomalies, not just signature-based threats.
Configure CASBs (Cloud Access Security Brokers) to monitor unusual file-sharing activities from AWS or OneDrive.

3. Isolation and Incident Readiness

Use sandboxing for all resume and CV file uploads.
Implement application isolation tools like Microsoft Defender Application Guard or browser isolation for reviewing documents from unknown sources.

Executive Recommendations

For business owners, CISOs, and hiring teams, the following are essential steps:

Update Email Gateways to flag AWS links in job application messages.
Enforce Document Upload Protocols using secure career portals — never accept resumes via email or LinkedIn links.
Strengthen Identity & Access Management (IAM) — ensure MFA is enforced and privileged access is logged and segmented.
Board-Level Awareness: Communicate the risk of trust-based social engineering attacks in executive briefings.

Case Study: Targeted Resume Attack on a Mid-Sized Financial Firm

Scenario:

A mid-sized U.S.-based investment firm received a resume from a candidate claiming to be a former analyst at a top-tier firm. The hiring manager clicked a link hosted on AWS and downloaded what appeared to be a PDF. Behind the scenes,

Outcome:

The attacker exfiltrated sensitive investor portfolio data within 72 hours. The breach cost the firm $1.2 million in remediation, legal defense, and lost clients.

Lesson:

Even well-trained professionals can be deceived when trust and urgency intersect. Without content filtering, link isolation, and behavioral threat detection, even a simple resume becomes a digital Trojan horse.

The Future of Resume-Based Malware and Social Engineering

This incident marks a broader trend: cyber attackers are industrializing the human layer. As generative AI tools improve, attackers will produce even more convincing fake profiles, resumes, and professional messages.

Expect future malware campaigns to:

Use AI-generated work histories that align perfectly with real job descriptions.
Deliver payloads using encrypted ZIPs or dynamic fileless stagers.
Exploit API access to HR tools or applicant tracking systems (ATS) directly.

Organizations must embrace:

Zero Trust Architecture (ZTA)
Continuous Adaptive Risk and Trust Assessment (CARTA)
Behavioral User Analytics (BUA)

Conclusion: Digital Due Diligence Is Now a Cyber Imperative

What used to be simple — receiving and reviewing resumes — is now a frontline exposure point. As FIN6 demonstrates, no vector is too minor for exploitation. Business leaders must re-evaluate trust models, integrate security into human resource workflows, and align technical defenses with executive-level awareness.

More_eggs isn’t just malware — it’s a message to businesses: In the digital economy, every interaction is a possible intrusion. It’s time to screen not only resumes — but the environments, platforms, and links through which they arrive.