Proofpoint reports a campaign targeting recruiters to deliver malware by impersonating candidates.
The actor creates fake candidate identities and emails recruiters directly, pretending to be interested in job postings. Then, the actor delivers malware either directly via email attachment or by redirecting the recruiter to a purported portfolio of the candidate's work, which, in fact, hosts malware.
The campaign has been attributed to the Eastern European financially motivated threat actor known as FIN6 (a.k.a. TA4557), linked to groups such as Cobalt/Carbanak, Evilnum, and FIN7.
While email is the delivery mechanism observed so far, recruiters may benefit from paying particular attention to messages via social media, particularly platforms such as LinkedIn.