.png)
Security researchers have uncovered a sophisticated phishing campaign that leverages fake resumes to deliver malware capable of stealing enterprise credentials and deploying cryptocurrency mining software. The activity, tracked under the codename FAUX#ELEVATE, has been observed targeting French‑speaking corporate environments, according to a report shared with The Hacker News. (The Hacker News)
This ongoing campaign begins with phishing emails containing a disguised Visual Basic Script (VBScript) file that appears to be a legitimate resume or CV. Once opened, the heavily obfuscated script executes a multi‑stage attack chain designed to evade detection and maximize impact. The malware toolkit combines credential theft, data exfiltration, and Monero cryptocurrency mining for monetization. (The Hacker News)
The attackers make use of legitimate cloud services and infrastructure to host and stage payloads, including Dropbox for storing malware components and compromised WordPress sites to serve command‑and‑control configuration data. Exfiltrated credentials are reportedly sent using mail[.]ru SMTP accounts under the control of the threat actors. (The Hacker News)
Analysis of the initial dropper reveals that most of its code consists of junk comments, inflating the script’s size and helping it evade automated sandbox detection. The VBScript prompts users for administrator privileges through a persistent User Account Control (UAC) loop, enabling the malware to modify system settings, disable security controls, and establish persistence. (The Hacker News)
Once executed with elevated privileges, the malware configures exclusions in Microsoft Defender, alters Windows Registry settings to disable UAC, and deletes itself to reduce forensic traces. It then downloads additional tools from password‑protected archives hosted on Dropbox, including modules for credential theft and a Monero miner executable. (The Hacker News)
Among the payloads is a credential stealer that bypasses browser encryption protections to extract sensitive login data from Chromium‑based browsers, as well as other components aimed at exfiltrating files and maintaining long‑term access. After theft and exfiltration tasks are complete, cleanup routines remove many of the dropped files, leaving only the miner and a persistent trojan behind. (The Hacker News)
Researchers warn that the campaign’s rapid execution—completing from initial VBScript launch to credential theft and exfiltration in roughly 25 seconds—makes it particularly dangerous for enterprise security teams. The selective targeting of domain‑joined machines ensures that compromised hosts yield valuable corporate credentials and resources. (The Hacker News)
FAUX#ELEVATE exemplifies how modern phishing operations increasingly combine social engineering with multi‑stage malware delivery to bypass defenses and profit from both credential theft and cryptomining. Security professionals advise organizations to educate users about phishing risks and to implement robust detection and response controls to mitigate such threats. (The Hacker News)
0 Comments