Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

FIN6 hackers pose as job seekers

FIN6 hackers are targeting recruiters with phishing emails and fake resumes that deliver malware and give remote access to company networks.

12-06-2025 - 3 minute read. Posted in: cybercrime.

FIN6 hackers pose as job seekers

FIN6 hackers pose as job seekers to target recruiters with malicious resumes

A new cyberattack campaign has been uncovered, where the well-known threat group FIN6 is impersonating job seekers in order to infiltrate companies. The attackers use fake resumes to deliver malware, targeting recruiters and HR professionals during the hiring process.

Fake applications with hidden malware

In this campaign, FIN6 sends phishing emails that look like real job applications. The emails include a resume link hosted on trusted platforms such as Amazon Web Services. When a recruiter clicks the link, they are prompted to download a ZIP file. Inside the archive is a shortcut file that appears to be a PDF resume, but it actually launches a hidden script.

Once opened, the script begins a multi-step process to install malware on the recruiter’s device. The malware gives the attackers remote access, allowing them to steal data, move within the company network, or prepare for a ransomware attack.

If you want to learn more about how phishing works, you can read our article on phishing, and if you're curious about how malware spreads and operates, you can learn more about malware here.

Recruiters as a point of entry

HR departments are not always viewed as high-risk targets, but they are often exposed to large volumes of external communication. Recruiters may open dozens of resumes each day, making it easier for attackers to blend in with legitimate applicants.

FIN6 uses this to its advantage. By disguising malicious files as job application materials, the group can bypass security systems and trick users into opening dangerous attachments.

FIN6 continues to evolve

FIN6 has been active since at least 2015 and is known for targeting payment systems and stealing financial data. Over time, the group has shifted tactics to focus more on gaining access to corporate networks. Their use of cloud services to host malicious files shows a clear effort to evade detection.

This method also complicates the work of defenders, as many organizations trust platforms like AWS. This trust can make it harder for security solutions to flag the attack as suspicious.

How companies can protect themselves

To reduce the risk of compromise, organizations should focus on improving both technical defenses and employee awareness. Specific steps include:

  • Providing cybersecurity training to HR staff and others who interact with external files and emails

  • Using sandbox environments to test unknown attachments before opening them

  • Blocking the execution of LNK files unless there is a clear business need

  • Reviewing all downloaded files carefully before opening

  • Relying on endpoint detection tools that monitor for unusual behavior

Conclusion

This campaign is a reminder that cybercriminals do not always target systems through traditional IT channels. By turning the job application process into a delivery method for malware, FIN6 shows how everyday business functions can become security risks.

Companies must take a broader view of cybersecurity, ensuring that every team member is equipped to spot threats and respond effectively. Attackers are constantly adapting their tactics, and so should we.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

How to avoid Facebook hacks
hacking

How to avoid Facebook hacks

We take a closer look at Facebook hacks and the dangers of our social media profiles. Learn more in our post here.

24-11-2023 · 8 min.
Online behaviour is more important than you think
awareness

Online behaviour is more important than you think

Below, we look at why you need better online behaviour and what you need to do to optimise it for better cyber security.

24-02-2023 · 5 min.
Prevent third-party data breaches
tips

Prevent third-party data breaches

What are the risks of using third-party service providers? We take a closer look at how you can mitigate the risk and prevent them from happening.

02-04-2024 · 6 min.