In June 2025, cybersecurity researchers revealed that the financially motivated cybercrime group FIN6, also known as Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, or TA4557, has been using fake resumes hosted on Amazon Web Services (AWS) infrastructure to deliver a malware strain called More_eggs.
The campaign, reported by the DomainTools Investigations (DTI) team on June 10, 2025, involves FIN6 actors posing as job seekers on platforms like LinkedIn and Indeed. They initiate conversations with recruiters to build trust before sending phishing links to malicious resume files. These links lead to domains like “bobbyweisman[.]com” or “ryanberardi[.]com,” that appear to be legitimate personal portfolio sites but are actually hosted on AWS services like EC2 and S3.
The malware, More_eggs, developed by a separate group known as Golden Chickens (aka Venom Spider), is a JavaScript-based backdoor capable of stealing credentials, enabling system access, and deploying ransomware. To avoid detection, the phishing sites use CAPTCHA verification and filter traffic to serve malware only to residential IP addresses using common Windows browsers. This involves avoiding VPNs or known security scanners. The malware is delivered in a ZIP archive disguised as a resume.
FIN6, active since 2012, has previously used this malware as a first-stage payload to infect e-commerce checkout pages and steal payment card data, later monetized through underground markets like JokerStash before its 2021 shutdown.
Venom Spider, also known as Golden Chickens, is a cybercrime group that operates behind the scenes as a malware-as-a-service (MaaS) provider. Rather than conducting attacks directly, Venom Spider develops and rents out sophisticated malware tools to other threat actors, including FIN6. One of its most notorious creations is More_eggs, a modular JavaScript-based backdoor designed for stealth and persistence.
More_eggs is typically delivered through phishing campaigns that mimic job applications, and it enables attackers to execute commands, steal credentials, and deploy additional malware such as ransomware. The malware operates in-memory to avoid detection by traditional antivirus tools and often abuses legitimate Windows utilities (known as LOLBins), such as wscript.exe, regsvr32.exe, and msxsl.exe, to blend in with normal system behavior.
The backdoor is triggered via disguised .LNK (shortcut) files hidden in ZIP archives, which when clicked, execute JavaScript code that connects to external servers to download and install the payload. Venom Spider’s services are attractive to groups like FIN6 because they offer powerful malware tools with built-in evasion techniques.
According to the report by HackerNews, “FIN6’s Skeleton Spider campaign shows how effective low-complexity phishing campaigns can be when paired with cloud infrastructure and advanced evasion. By using realistic job lures, bypassing scanners, and hiding malware behind CAPTCHA walls, they stay ahead of many detection tools.”
No. Ethical hacking is legal and helps improve cybersecurity by testing systems for weaknesses. Black-hat hacking (malicious) is illegal.
Individuals, corporations, healthcare providers, government agencies, and financial institutions are frequent targets, anyone with valuable or sensitive data.
Hacks can delay surgeries, cancel appointments, disable access to electronic health records (EHRs), and even endanger patient lives when monitoring systems or prescription tools are taken offline.
Yes. Under HIPAA, covered entities must report breaches involving more than 500 individuals to the U.S. Department of Health and Human Services (HHS) and notify affected patients.