I attended a cybersecurity briefing last month where a CISO from a Fortune 500 company admitted something unsettling: their team almost missed a breach because the initial entry point looked completely legitimate. That conversation keeps replaying in my mind as I examine a newly documented phishing campaign that weaponizes one of the most innocuous documents in corporate life—the job resume.
According to researchers at Securonix, an ongoing attack dubbed FAUX#ELEVATE specifically targets French-speaking businesses with fake resume files that secretly deploy cryptocurrency mining software and credential-stealing tools. What makes this campaign particularly insidious isn’t just its technical sophistication but how it exploits the everyday rhythms of corporate hiring. HR departments receive hundreds of resumes weekly, making them an ideal camouflage for malicious payloads.
The attack begins with a phishing email containing what appears to be a candidate’s curriculum vitae. When an unsuspecting recruiter or hiring manager opens the attachment, they see a French-language error message suggesting the file is corrupted. That’s the decoy. Behind that manufactured frustration, a Visual Basic Script springs into action, running checks to detect whether it’s operating in a sandbox environment used by security researchers. The malware is patient and calculated, refusing to reveal itself unless conditions are perfect.
Here’s where things get technically fascinating yet deeply concerning. The script contains 224,471 lines of code, but only 266 lines actually do anything functional. The remaining content consists of junk comments filled with random English sentences, deliberately bloating the file to 9.7 megabytes. This inflation technique serves a dual purpose: it makes automated security scanning slower and helps the malware slip past detection systems that struggle with unusually large files.
The malware also demonstrates remarkable selectivity in choosing its victims. Using Windows Management Instrumentation, it verifies whether the infected computer is joined to a corporate domain. If you’re working from a standalone home system, the attack simply doesn’t proceed. This targeting strategy ensures attackers maximize their return by focusing exclusively on enterprise environments where stolen credentials provide access to valuable corporate networks and resources.
Once the script confirms it’s running on a business machine, it launches an aggressive User Account Control loop that repeatedly prompts the user to grant administrator privileges. Most people, already frustrated by what they believe is a corrupted file, eventually click through these prompts just to make them stop. That moment of exasperation becomes the breach point.
With elevated privileges secured, the malware moves swiftly through its infection routine. Within approximately twenty-five seconds, it disables Microsoft Defender by configuring exclusion paths, turns off User Account Control through registry modifications, and deletes the original dropper file to eliminate evidence. The speed is remarkable and problematic for security teams who rely on detection windows that this attack essentially eliminates.
The payload arrives in two password-protected archives hosted on Dropbox, a choice that highlights how attackers abuse legitimate cloud services to avoid suspicion. One archive contains tools for stealing data and mining Monero cryptocurrency, while the other includes utilities for maintaining persistence and cleaning up forensic traces. Using trusted platforms like Dropbox makes traffic filtering nearly impossible since blocking the service entirely would disrupt legitimate business operations.
Among the deployed tools is a component leveraging the ChromElevator project, which bypasses app-bound encryption protections in Chromium-based browsers like Chrome and Edge. This allows attackers to extract saved passwords, payment information, and session cookies. Another script targets Mozilla Firefox profiles, while a separate component exfiltrates files directly from the desktop, capturing whatever documents users consider important enough to keep readily accessible.
The cryptocurrency mining component retrieves its configuration from compromised WordPress sites in Morocco, demonstrating how attackers chain together vulnerabilities across different victims to create resilient infrastructure. The miner also deploys a legitimate Windows kernel driver called WinRing0x64, which unlocks full CPU potential for mining operations. This detail reveals sophisticated technical knowledge since manipulating kernel-level components requires understanding Windows architecture at a fundamental level.
Stolen credentials get transmitted through mail.ru email accounts using SMTP protocols to send data to an address hosted at duck.com. The use of Russian email infrastructure combined with privacy-focused email services creates jurisdictional complications for law enforcement while providing attackers operational security. According to Securonix’s analysis, this multi-layered exfiltration approach ensures data reaches its destination even if one communication channel gets disrupted.
After credential theft completes, the malware initiates an aggressive cleanup phase, deleting most dropped tools while preserving only the cryptocurrency miner and a persistent trojan component. This selective erasure complicates forensic investigation since the most obvious malicious files disappear while subtler components continue operating indefinitely. The trojan modifies Windows Firewall rules and maintains periodic contact with command-and-control servers, ensuring attackers retain access even after the initial infection artifacts vanish.
This campaign exemplifies what security professionals call “living off the land” tactics, where attackers use legitimate tools and services to blend into normal network traffic. When malware communicates through Dropbox or uses authentic Windows drivers, distinguishing malicious activity from legitimate business operations becomes exponentially harder. Traditional signature-based detection fails because the individual components aren’t inherently malicious.
The French-language focus suggests either attackers targeting specific geographic markets or testing techniques before expanding to other languages. Localization indicates planning and research since effective phishing requires cultural and linguistic authenticity. A poorly translated resume immediately raises suspicion, but one crafted with proper idioms and formatting passes initial scrutiny.
For organizations, this campaign underscores uncomfortable truths about modern cybersecurity. Perimeter defenses matter less when attacks arrive through expected communication channels disguised as routine business documents. Employee training helps but remains insufficient when malware operates this quickly and relies on legitimate-seeming prompts. The twenty-five-second execution window leaves virtually no time for human intervention.
The persistent cryptocurrency mining represents ongoing resource theft that degrades system performance and increases electricity costs. More critically, the stolen credentials provide attackers persistent access to corporate networks, enabling future attacks ranging from ransomware deployment to intellectual property theft. What begins as resume fraud potentially escalates into catastrophic breaches.
Moving forward, organizations should implement domain-based authentication that limits administrative privilege escalation, deploy behavioral analysis tools that detect unusual script execution patterns, and establish strict policies around opening unsolicited attachments regardless of apparent legitimacy. The resume will always remain a necessary part of hiring, but how we handle these documents digitally requires fundamental reconsideration in an era where every file potentially conceals sophisticated threats.
