Cybersecurity researchers have uncovered an advanced phishing campaign targeting corporate environments, particularly French-speaking organizations, by distributing fake resumes that secretly deploy malware.
The operation, tracked as FAUX#ELEVATE by Securonix, combines credential theft, data exfiltration, and cryptocurrency mining into a single highly efficient attack chain.
Malicious Resumes Disguised as Job Applications
The campaign begins with phishing emails containing what appear to be legitimate CV or resume files. These attachments are actually heavily obfuscated VBScript files designed to trick recipients.
When opened, the file displays a fake error message in French, leading users to believe the document is corrupted. Meanwhile, hidden malicious code executes in the background.
Obfuscation and Evasion Techniques
The malicious script is engineered to evade detection. Out of more than 200,000 lines of code, only a small fraction contains actual executable instructions, while the rest consists of meaningless comments to confuse analysis tools.
Additionally, the malware performs environment checks using Windows Management Instrumentation (WMI) to ensure it only runs on enterprise systems that are part of a domain, avoiding personal devices.
Privilege Escalation and Defense Evasion
Once executed, the malware repeatedly prompts users to grant administrative privileges through a User Account Control (UAC) loop. After gaining elevated access, it:
- Disables security protections
- Adds exclusion paths to Microsoft Defender
- Modifies Windows Registry settings to disable UAC
- Deletes its own initial traces
This ensures the system remains vulnerable for further stages of the attack.
Multi-Stage Payload Deployment
The dropper retrieves two password-protected archives from Dropbox:
- One archive contains tools for credential theft and cryptocurrency mining
- The other includes components for persistence and cleanup
Among the tools deployed:
- A browser data extraction module targeting Chromium-based browsers
- A VBScript payload to steal Firefox credentials
- A script designed to collect files from the desktop
- A cryptocurrency miner based on XMRig
- A persistent Trojan component that communicates with external servers
Data Exfiltration and Mining Activity
Stolen browser credentials and files are exfiltrated through SMTP using attacker-controlled email accounts. After data theft is complete, the malware removes most traces of its activity to reduce forensic evidence.
The remaining components continue to mine cryptocurrency and maintain unauthorized access to the system.
Living-Off-the-Land Strategy
This campaign makes extensive use of legitimate services and infrastructure to remain undetected, including:
- Cloud storage platforms for payload delivery
- Compromised websites for command-and-control communication
- Trusted email services for data exfiltration
Such techniques demonstrate a “living-off-the-land” approach, where attackers rely on trusted tools and services to avoid raising suspicion.
High-Speed Attack Execution
One of the most alarming aspects of this campaign is its speed. Researchers observed that the entire attack chain, from initial execution to data exfiltration, can be completed in approximately 25 seconds.
This rapid execution, combined with targeted enterprise filtering, ensures maximum impact with minimal exposure.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
