## What’s happening

A phishing campaign is distributing fake resume/CV files that are actually highly obfuscated scripts. When executed, the malware chain can steal credentials, exfiltrate data, and deploy cryptocurrency mining payloads (including Monero mining).

## Why it matters

Recruitment and HR workflows often involve opening documents from unknown senders, creating a predictable path for attackers. Once inside, credential theft can lead to broader account takeover and lateral movement—well beyond the initial machine.

## Notable tactics (from reporting)

- Resume-themed lures aimed at corporate targets

- Script-based execution with heavy obfuscation

- Use of legitimate platforms for staging and infrastructure for exfiltration

## Defensive steps

- Block or sandbox script execution from email attachments (VBScript/WSH, LNK, ISO, etc.).

- Route candidate documents through a secure upload portal rather than email attachments.

- Enforce MFA and monitor for suspicious session behavior.

- Add detections for suspicious child processes (e.g., email client spawning script hosts).

## Local takeaway

Organizations should treat HR inboxes like privileged entry points. A small process change—“no attachments, portal only”—can remove an entire class of attack.