167/68 Wednesday, May 7, 2025
Researchers at Arctic Wolf Labs have uncovered a new cyberattack campaign conducted by a threat group called Venom Spider, which is specifically targeting human resources personnel – particularly recruiters and hiring managers – with phishing emails disguised as job applications. These emails often include what appear to be resumes from unknown applicants but are actually laced with a stealthy malware strain known as More_eggs, which allows attackers to covertly take control of the victim’s system.
In the latest campaign, the phishing email contains a link to an external site protected by a CAPTCHA challenge, likely used to evade automated scanning tools. Once the victim completes the CAPTCHA, they receive a ZIP file disguised as a resume. Inside the ZIP file is a decoy image and a malicious Windows shortcut file (.LNK). When the LNK file is executed, it runs a BAT script that uses Windows applications to deliver and execute the More_eggs malware. This malware can harvest system information, connect to command-and-control (C2) servers, and install additional payloads – all while evading detection by standard malware analysis tools due to its complex and stealthy design.
Although technically sophisticated, the attack relies on classic psychological manipulation through spear-phishing. Researchers advise organizations to train employees – especially HR and recruitment teams – on cybersecurity awareness, and to be cautious of suspicious file types such as .LNK, .ISO, or .VBS, especially when they are embedded in ZIP archives to evade email filtering. Staff should always inspect file properties before opening attachments. Given the current competitive job market and the high volume of applications HR departments handle, these individuals are increasingly vulnerable to such targeted attacks. The Venom Spider campaign remains active and is expected to evolve with greater complexity in the future.
Source https://www.darkreading.com/cyber-risk/venom-spider-phishing-scheme
