Arctic Wolf said the threat actors have upgraded More_eggs several times to more effectively infect victims and evade automatic analytics techniques such as sandboxes.
“Recruiters working in the HR department are often considered as weaknesses of attackers in the organization because the nature of their work means that they must regularly open emails (such as resumes and cover letters) to them, including candidates and hiring candidates and hiring agencies,” the report said.
Typically, malicious messages in this campaign contain a link that is said to allow managers to download job seekers’ resumes from external sites. If the manager clicks the link, they are taken to an actor-controlled website from which the recruiter can download (bait) resumes. On this site, users must check the verification code box, a precaution that helps the website bypass the automatic scanner.
