- A phishing campaign uses fake, obfuscated French-language resumes to deliver malware that mines cryptocurrency and steals data.
- The attack chain completes in just 25 seconds and specifically targets domain-joined corporate machines, excluding home systems.
- Threat actors abuse legitimate services like Dropbox, WordPress, and mail[.]ru for payload delivery, command-and-control, and data exfiltration.
- The malware disables security controls, deletes forensic evidence, and uses the official WinRing0 driver to maximize CPU mining.
A new phishing campaign, codenamed FAUX#ELEVATE, is actively targeting French-speaking businesses with fraudulent resumes that deploy cryptocurrency miners and information stealers, according to a report from Securonix researchers.
The campaign delivers highly obfuscated VBScript files disguised as corrupted documents. However, these scripts perform sandbox checks and repeatedly prompt for admin rights in a persistent UAC loop.
Consequently, a massive 9.7MB dropper file, containing only 266 lines of real code amidst junk text, springs into action. It first ensures execution only on enterprise systems by checking the domain-join status using WMI.
Once administrative access is granted, the malware swiftly disables Microsoft Defender and UAC before deleting itself. It then fetches password-protected toolkits from Dropbox containing credential stealers and a Monero miner.
The attackers use tools like ChromElevator to bypass browser encryption and steal data. Meanwhile, a separate component retrieves mining configuration from a compromised Moroccan WordPress site to run the XMRig miner at full capacity.
Stolen browser credentials and desktop files are exfiltrated via mail[.]ru SMTP servers to an attacker-controlled address. The researchers noted, “The full infection chain completes in approximately 25 seconds from initial VBS execution to credential exfiltration.”
Finally, the malware executes an aggressive cleanup of most dropped tools to minimize its forensic footprint. This leaves only the persistent miner and a trojan that modifies firewall rules on the compromised host.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
