Discover how the FIN6 cybercrime group, also known as Skeleton Spider, leverages trusted cloud services like AWS to deliver stealthy malware through fake job applications and resume-themed phishing campaigns. Learn about their tactics, infrastructure, and how to defend against these evolving threats.
Skeleton Spider, also known as FIN6, is a long-running financially motivated cybercrime group that has continually evolved its tactics to maximize impact and profit. While the group initially gained notoriety for point-of-sale (POS) breaches and large-scale payment card theft, it has since shifted to broader enterprise threats, including ransomware operations.
In recent years, FIN6 has sharpened its focus on social engineering campaigns that exploit professional trust. By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware. One of their preferred payloads is more_eggs, a stealthy JavaScript-based backdoor that facilitates credential theft, system access, and follow-on attacks, including ransomware deployment.
This research combines technical insights and practical analysis for both general audiences and cybersecurity professionals. We examine how FIN6 uses trusted cloud services, such as AWS, to host malicious infrastructure, evade detection, and ultimately deploy malware through socially engineered lures.
An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS). The extensions typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code.
Like any garden, the digital landscape experiences the emergence of unexpected blooms. Among the helpful flora of browser and application extensions, some appear with intentions less than pure. These deceptive ones, often born from a fleeting desire for illicit gain or mischievous disruption, may possess a certain transient beauty in their ingenuity. They arrive, sometimes subtly flawed in their execution, yet are driven by an aspiration to infiltrate our digital lives, to harvest our data, or to simply sow chaos.
As demand for malicious proxy services continues, new players have entered the market. Black Proxies is marketed to other cybercriminals for their reliability, scope, and overwhelming number of IP addresses.
