Arctic Wolf Labs has discovered a recent campaign driven by Venom Spider, a financially-motivated threat group. According to the findings, this campaign is using spear-phishing emails to target hiring managers in human resources (HR).

The group is exploiting legitimate job platforms and messaging services to submit applications to real job postings, delivering fake, malicious resumes that drop More_eggs, a backdoor that can be deployed for a range of malicious actions. 

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, discusses the nature of this tactic, stating, “This is far from a new tactic, but is definitely getting more use by malicious hackers. It used to be that HR was very sparingly targeted, but now they have become a target of choice. When doing cybersecurity risk management, I’d put anyone in the HR hiring path, including recruiters, hiring managers, people who interview new recruits, etc., on the list of your highest risk employees, alongside the previously identified high-risk positions in IT, C-level employees, and accounts payable.”

Via this backdoor, a threat actor could steal credentials, sensitive customer data, trade secrets or intellectual property. Furthermore, the research discovered upgrades the threat actors made to the malware to circumvent automated analysis techniques (like sandboxing) and to infect targets more effectively. 

The report encourages organizations to train employees to identify signs of a potential phishing attack, especially those who work in departments requiring them to open email attachments regularly — like HR. 

“HR, in general, has become a hotbed for scammers and malicious never-do-wells,” says Grimes. “We’ve got fake employees, fake employers, outgunned recruiters, and paid advertising by malicious hackers entering the hiring ecosystem in a way that has never been before. It’s nation-state level stuff, highly resourced, and coming for your company for sure!”