Eggs in a Cloudy Basket: Skeleton Spider’s Trusted Cloud Malware Delivery

FIN6 and Financially Motivated Cybercrime

Skeleton Spider, also known as FIN6, is a long-running financially motivated cybercrime group that has continually evolved its tactics to maximize impact and profit. While the group initially gained notoriety for point-of-sale (POS) breaches and large-scale payment card theft, it has since shifted to broader enterprise threats, including ransomware operations.

In recent years, FIN6 has sharpened its focus on social engineering campaigns that exploit professional trust. By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware. One of their preferred payloads is more_eggs, a stealthy JavaScript-based backdoor that facilitates credential theft, system access, and follow-on attacks, including ransomware deployment.

This research combines technical insights and practical analysis for both general audiences and cybersecurity professionals. We examine how FIN6 uses trusted cloud services, such as AWS, to host malicious infrastructure, evade detection, and ultimately deploy malware through socially engineered lures.

Phishing with Fake Resumes

FIN6 begins its attack by crafting phishing emails that impersonate job applicants. But their social engineering doesn't start in the inbox. The group has been observed initiating contact via professional job platforms like LinkedIn and Indeed, posing as enthusiastic job seekers and engaging with recruiters before following up with phishing messages. This adds a layer of authenticity and increases the chances of the recruiter trusting the source.

This phishing lure shows a professionally worded message from a fake applicant, using a non-clickable, no hyperlink ('bobbyweisman[.]com') to bypass automated link detection. This tactic forces the recipient to manually type the URL into their browser.

These messages are carefully written and contain no clickable links—an evasion technique that helps them bypass security filters. Instead, recipients are forced to manually type a URL, often obscured with added spaces, or underscores “_” such as (elizabethabarton. COM)

Notably, the domains used in these campaigns often follow a pattern where the attacker's domain mimics a real applicant by combining a first and last name (e.g., bobbyweisman[.]com, ryanberardi[.]com). These domains are typically registered anonymously through GoDaddy, adding a layer of obfuscation that complicates threat attribution and takedown efforts. By exploiting GoDaddy’s domain privacy services, FIN6 further shields the true registrant details from public view and takedown teams. Although GoDaddy is a reputable and widely used domain registrar, its built-in privacy features make it easy for threat actors to hide their identities.

Whois records for these domains typically show redacted ownership information and standardized proxy entries, often pointing to GoDaddy’s domain privacy service. Abuse reports can technically be submitted via contact email fields listed in the Whois, commonly abuse@godaddy.com; however, responses and enforcement timelines vary.

It is likely the actors behind these domains use disposable or fraudulent email addresses, anonymous or foreign IP addresses, and prepaid or stolen payment methods to create and maintain these accounts. Combined with the use of resume-themed domain names and impersonation techniques, this registration strategy allows FIN6 to keep their infrastructure alive just long enough to carry out active phishing campaigns while avoiding rapid takedown by security researchers or registrars.

Cloud-Hosted Malware Infrastructure

FIN6 hosts its phishing sites using trusted cloud infrastructure, including AWS. These platforms are appealing to attackers due to:

• Past observations of FIN6 leveraging Amazon CloudFront to obscure infrastructure and evade detection. By using CDN services like CloudFront, attackers can mask the origin of malicious content, making it harder for defenders to trace and block the true hosting source.
• Ease of setup using services like EC2 and S3
  
• Low cost with free-tier abuse or use of compromised billing accounts
  
• Cloud IP ranges that are often implicitly trusted by enterprise network filters
  
• Built-in scalability and the ability to rapidly provision disposable infrastructure

FIN6 often sets up landing pages on cloud-hosted domains that resemble personal resume portfolios. These domains are usually mapped to AWS EC2 instances or S3-hosted static sites, making them difficult to distinguish from legitimate personal or business hosting.

These landing sites are built with traffic filtering logic to distinguish between potential victims and unwanted analysis tools. If the visitor doesn't match specific criteria, the site serves only benign content, typically a plain-text version of the resume or an error page.

To evade detection and analysis, FIN6 deploys a combination of environmental fingerprinting and behavioral checks, including:

• IP reputation and geolocation – Traffic is filtered to allow access only from residential ISP ranges, excluding connections from cloud infrastructure, VPN services, or known threat intelligence networks.
• Operating system and browser fingerprinting – The site checks for typical Windows browser user-agent strings, such as Mozilla/5.0 (Windows NT 10.0; Win64; x64). Visitors using Linux, macOS, or uncommon browsers are blocked or shown harmless content.
• CAPTCHA verification techniques – The site presents a CAPTCHA (such as Google reCAPTCHA) that must be completed before allowing access to any downloadable content. This prevents automated analysis tools and headless browsers from easily interacting with the site. In many cases, the CAPTCHA is only triggered when the visitor meets initial filtering conditions, acting as a final gate to ensure human presence before delivering the payload.

These layered filters ensure that the malicious content is only delivered to actual human recruiters browsing from typical home or office setups, while blocking security scanners and automated crawlers.

If the request meets all conditions, the site returns a CAPTCHA and a fake resume interface that eventually offers a ZIP download. 

All the following domains have been confirmed as hosted on AWS infrastructure:

• bobbyweisman[.]com
• emersonkelly[.]com
• davidlesnick[.]com
• kimberlykamara[.]com
• annalanyi[.]com
• bobbybradley[.]net
• malenebutler[.]com
• lorinash[.]com
• alanpower[.]net
• edwarddhall[.]com

These sites often display a professional-looking fake resume, complete with a CAPTCHA to verify human access. Additionally, the attackers employ traffic filtering techniques to control who can access the malicious content. Only users appearing to be on residential IP addresses and using common Windows-based browsers are allowed to download the malicious document. If the visitor originates from a known VPN service, cloud infrastructure like AWS, or corporate security scanners, the site instead delivers a harmless plain-text version of the resume. This selective delivery tactic helps the malware infrastructure avoid detection and analysis. If conditions are met, the site delivers a malicious ZIP file to the visitor.

More_eggs Malware Delivery Chain

The malware delivery uses simple techniques wrapped in deceptive visuals:

• ZIP file contains a disguised .LNK (Windows shortcut) file
  
• LNK file executes hidden JavaScript using wscript.exe
  
• Payload connects to external resources and downloads the More_eggs backdoor

More_eggs, developed by the "Venom Spider," also known as "Golden Chickens," is a modular JavaScript backdoor offered as malware-as-a-service. It allows for command execution, credential theft, and follow-on payload delivery, often operating in memory to evade detection.

Common TTPs Observed:

• Initial Access: .zip archive containing .lnk file
• Execution: Uses LOLBins like ie4uinit.exe, regsvr32.exe, or msxsl.exe
  
• Persistence: Registry run keys or scheduled tasks
  
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<RandomName>
    
• C2 Communication: HTTPS with spoofed User-Agent headers
  
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    
• PowerShell Execution:
  
  • powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -EncodedCommand <Base64>

How to Defend Against These Attacks

For Recruiters and General Staff:

• Avoid manually typing in resume links from unknown senders
  
• Be cautious of CAPTCHA-protected resume sites
  
• Never download ZIP files unless verified by IT

For Security Teams:

• Monitor for outbound traffic to domains that appear recently re-registered or show signs of ownership change. These domains may have been benign in the past and are now being used for malicious purposes. This reuse can help attackers benefit from existing domain reputation and bypass domain age-based filters.
  
• Block execution of .lnk files inside ZIPs from untrusted sources
  
• Detect use of LOLBins executing PowerShell or JScript unexpectedly
  
• Implement EDR policies for scripting engine abuse (e.g., wscript.exe, msxsl.exe)
  
• Watch for persistence indicators in Windows registry and scheduled tasks

The Efficacy of Low-Complexity Phishing Campaigns

FIN6’s Skeleton Spider campaign shows how effective low-complexity phishing campaigns can be when paired with cloud infrastructure and advanced evasion. By using realistic job lures, bypassing scanners, and hiding malware behind CAPTCHA walls, they stay ahead of many detection tools.

Security teams and HR departments alike must stay informed and vigilant. Training, layered defenses, and early detection of unusual traffic or file types are critical to disrupting these types of attacks.

Stay informed. Stay alert. Stay safe.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Skeleton-Spider-Trusted-Cloud-Malware-Delivery.csv

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.