Fake Resume Phishing Campaign Harvests Enterprise Credentials and Deploys Crypto Miners in French‑Speaking Corporations
What Happened — A phishing operation targeting French‑speaking corporate users distributes malicious VBScript files masquerading as résumé/CV documents. When opened, the script steals enterprise credentials and installs a cryptocurrency miner alongside information‑stealing payloads.
Why It Matters for TPRM —
- Credential theft can give attackers lateral movement into third‑party environments.
- Crypto‑miner deployment consumes resources, impacting service availability and cost.
- The use of seemingly innocuous résumé files increases the likelihood of successful compromise across multiple vendors.
Who Is Affected — Enterprises operating in French‑speaking regions across technology, finance, manufacturing, and professional services that accept résumé attachments.
Recommended Actions —
- Review and tighten email filtering rules for attachment types, especially VBScript and Office files.
- Enforce multi‑factor authentication (MFA) for all privileged accounts.
- Conduct phishing awareness training focused on social‑engineering tactics involving recruitment materials.
- Verify that endpoint detection and response (EDR) solutions can detect and block malicious script execution.
Technical Notes — Attack vector: phishing with malicious VBScript disguised as résumé/CV. No specific CVE cited. Data types at risk: usernames, passwords, domain credentials. Malware payloads include credential harvesters and cryptomining miners (likely XMRig or similar). Source: The Hacker News