Hackers are targeting French-speaking companies with fake resumes that install malware to steal data and mine cryptocurrency.

Key points

• Deceptive Tactics: Attackers send phishing emails containing fake resumes that appear to be corrupted, tricking users into granting administrative permissions to "fix" the file.
• Sophisticated Evasion: The malware uses massive amounts of "junk" code to hide its malicious instructions and specifically targets corporate computers while ignoring personal home devices.
• Multi-Purpose Malware: Once inside, the software disables security settings, steals browser passwords and desktop files, and uses the computer’s power to mine Monero cryptocurrency.
• Abuse of Trusted Services: The attackers use legitimate platforms like Dropbox and compromised WordPress sites to host their tools, making the malicious activity look like normal network traffic.
• Rapid Execution: The entire infection process—from the initial click to the theft of sensitive data—takes only about 25 seconds.

This campaign highlights how attackers are increasingly using "living-off-the-land" techniques, which exploit legitimate software and services to bypass traditional security defenses. Because the malware is designed to hide its tracks and target only high-value corporate systems, it poses a significant threat to business data and network integrity.