Key Findings

• Campaign named FAUX#ELEVATE targets French-speaking corporate environments using fake resume documents delivered via phishing emails

• Heavily obfuscated VBScript files contain only 266 lines of executable code out of 224,471 total lines, with the rest being junk comments to evade detection

• Attack completes full infection chain in approximately 25 seconds, from initial execution through credential exfiltration

• Malware exclusively targets domain-joined enterprise machines using WMI domain-join gates, excluding standalone systems

• Attack leverages legitimate services including Dropbox for payload staging, compromised Moroccan WordPress sites for C2 configuration, and mail.ru SMTP for credential exfiltration

• Stolen credentials and desktop files are exfiltrated using two compromised mail.ru accounts

• Monero cryptocurrency mining occurs persistently after initial compromise

Background

Securonix researchers identified an ongoing phishing campaign that combines credential theft, data exfiltration, and cryptocurrency mining into a coordinated attack against corporate environments. The operation demonstrates sophisticated techniques for evading security controls while maintaining persistence on compromised systems. The campaign's use of legitimate infrastructure and services represents a living-off-the-land approach that makes detection and attribution more difficult.

Initial Infection Vector

The dropper file is a Visual Basic Script disguised as a resume or CV document. Upon execution, it displays a fraudulent French-language error message to deceive recipients into believing the file is corrupted. Behind the scenes, the heavily obfuscated script performs sandbox evasion checks and enters a persistent User Account Control loop requesting administrator privileges.

The file inflation technique is particularly notable. Out of 224,471 lines of code, only 266 lines contain actual executable instructions. The remaining lines consist of random English sentences used as junk comments, inflating the file size to 9.7MB to potentially bypass security scanners.

Enterprise Targeting

The malware uses Windows Management Instrumentation to perform domain-join detection, ensuring payloads only execute on corporate machines connected to Active Directory. This selective targeting ensures attackers compromise systems with valuable corporate credentials and computing resources worth hijacking for mining operations. Standalone home systems are completely excluded from the infection chain.

Security Bypass and Persistence

Once administrative privileges are obtained, the dropper immediately disables security controls. It configures Microsoft Defender exclusion paths for all primary drive letters from C through I, disables User Account Control via Windows Registry modification, and deletes itself to cover its tracks.

The dropper then fetches two password-protected 7-Zip archives from Dropbox. The gmail2.7z archive contains executables for credential theft and cryptocurrency mining, while gmail_ma.7z contains utilities for maintaining persistence and performing cleanup operations.

Credential Theft Mechanisms

The malware leverages ChromElevator to extract sensitive data from Chromium-based browsers by bypassing app-bound encryption protections. Additional credential theft tools include mozilla.vbs for stealing Firefox profiles and credentials, and walls.vbs for exfiltrating desktop files.

Stolen browser data is exfiltrated through SMTP using two compromised mail.ru sender accounts that share the same password. The stolen credentials and files are sent to an attacker-controlled email address at vladimirprolitovitch@duck.com.

Cryptocurrency Mining Component

The attack deploys XMRig, a legitimate cryptocurrency miner, after retrieving mining configuration from a compromised Moroccan WordPress site. The malware also uses WinRing0x64.sys, a legitimate Windows kernel driver, to unlock the CPU's full mining potential and maximize hash rates.

RuntimeHost.exe functions as a persistent Trojan component that modifies Windows Firewall rules and maintains periodic communication with the C2 server, ensuring the miner continues operating and receives updated instructions.

Forensic Evasion

Following credential theft and exfiltration, the attack chain initiates aggressive cleanup of all dropped tools to minimize forensic footprint. Only the miner and Trojan artifacts remain on the system, making post-compromise investigation significantly more difficult for security teams.

Sources

• https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html

• https://thehackernews.com/2026/03/ghost-campaign-uses-7-npm-packages-to.html

• https://www.linkedin.com/posts/securonix_hackers-use-fake-resumes-to-steal-enterprise-activity-7442274057632518144-Lx-G

• https://x.com/TheCyberSecHub/status/2036485769293078797

• https://x.com/Dinosn/status/2036515860345454660

• https://www.instagram.com/p/DWRkFd6j5NJ/