Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner

Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner Ravie LakshmananMar 24, 2026Malware / Endpoint Security An ongoing phishing campaign is targeting French-speaking corporate environments with fake resumes that lead to the deployment of cryptocurrency miners and information stealers. "The campaign uses highly obfuscated VBScript files disguised as resume/CV documents, delivered through phishing emails," Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said in a report shared with The Hacker News. "Once executed, the malware deploys a multi-purpose toolkit that combines credential theft, data exfiltration, and Monero cryptocurrency mining for maximum monetization." The activity has been codenamed FAUX#ELEVATE by the cybersecurity company. The campaign is noteworthy for the abuse of legitimate services and infrastructure, such as Dropbox for staging payloads, Moroccan WordPress sites for hosting command-and-control (C2) configuration, and mail[.]ru SMTP infrastructure for exfiltrating stolen browser credentials and desktop files. This is an example of a living-off-the-land-style attack that raises the bar on how attackers can trick defense mechanisms and sneak their way into the target's system without attracting much attention. The initial dropper file is a Visual Basic Script (VBScript) that, upon opening, displays a bogus French-language error message, fooling message recipients into thinking that the file is corrupted. However, what happens behind the scenes is that the heavily obfuscated script runs a series of checks to evade sandboxes and enters into a persistent User Account Control (UAC) loop that prompts users to run it with administrator privileges. Notably, out of the script's 224,471 lines, only 266 lines contain actual executable code. The rest of the script is filled with junk comments featuring random English sentences, inflating the size of the file to 9.7MB. "The malware also uses a domain-join gate using WMI [Windows Management Instrumentation], ensuring that payloads are only delivered on enterprise machines, and standalone home systems are excluded entirely," the researchers said. As soon as the dropper obtains administrative privileges, it wastes no time disabling security controls and covering up its tracks by configuring Microsoft Defender exclusion paths for all primary drive letters (from C to I), disabling UAC via a Windows Registry change, and deleting itself. The dropper is also responsible for fetching two separate password-protected 7-Zip archives hosted on Dropbox - gmail2.7z, which contains various executables to steal data and mine cryptocurrency gmail_ma.7z, which contains utilities for persistence and cleanup Among the tools used to facilitate credential theft is a component that leverages the ChromElevator project to extract sensitive data from Chromium-based browsers by getting around app-bound encryption (ABE) protections. Some of the other tools include - mozilla.vbs, a VBScript malware for stealing Mozilla Firefox profile and credentials walls.vbs, a VBScript payload for desktop file exfiltration mservice.exe, an XMRig cryptocurrency miner that's launched after retrieving the mining configuration from a compromised Moroccan WordPress site WinRing0x64.sys, a legitimate Windows kernel driver that's used to unlock the CPU's full mining potential RuntimeHost.exe, a persistent Trojan component that modifies Windows Firewall rules and periodically communicates with a C2 server The sole browser data is exfiltrated using two separate mail[.]ru sender accounts ("olga.aitsaid@mail.ru" and "3pw5nd9neeyn@mail.ru") that share the same password over SMTP to another email address operated by the threat actor ("vladimirprolitovitch@duck.com"). Once credential theft and exfiltration activities are complete, the attack chain initiates an aggressive cleanup of all dropped tools in a bid to minimize forensic footprint, leaving behind only the miner and trojan artifacts./p> "The FAUX#ELEVATE campaign demonstrates a well-organized, multi-stage attack operation that combines several noteworthy techniques into a single infection chain," Securonix said. "What makes this campaign particularly dangerous for enterprise security teams is the speed of execution, the full infection chain completes in approximately 25 seconds from initial VBS execution to credential exfiltration, and the selective targeting of domain-joined machines, which ensures that every compromised host provides maximum value through corporate credential theft and persistent resource hijacking." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Credential Theft, cryptocurrency, cybersecurity, endpoint security, enterprise security, Malware, Phishing, Threat Intelligence, VBScript Trending News ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Load More ▼ Popular Resources Fix Security Noise by Focusing Only on Validated Exposures Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools