The threat involves the FIN6 cybercriminal group leveraging fake resumes hosted on Amazon Web Services (AWS) and distributed via LinkedIn to deliver the More_eggs malware. FIN6 is a known financially motivated threat actor group that has historically targeted retail and hospitality sectors to steal payment card data and conduct other financially driven cyberattacks. In this campaign, the attackers create convincing fake LinkedIn profiles with resumes hosted on AWS infrastructure, which lends credibility and bypasses some security filters. Victims are lured into downloading these fake resumes or interacting with the malicious content, which then delivers the More_eggs malware payload. More_eggs is a modular malware family known for its stealth, persistence, and capability to perform reconnaissance, credential theft, and lateral movement within compromised networks. The use of AWS-hosted content and LinkedIn as a distribution vector demonstrates an evolution in social engineering tactics, exploiting trusted platforms and cloud infrastructure to evade detection. This approach also complicates attribution and mitigation, as AWS is a legitimate service provider and LinkedIn is widely used for professional networking. The campaign's reliance on social engineering and cloud-hosted payloads indicates a sophisticated operation designed to target organizations through their employees' professional networks, increasing the likelihood of initial compromise. Although no known exploits in the wild have been reported yet, the high severity rating reflects the potential impact and sophistication of the attack vector.

For European organizations, this threat poses significant risks, particularly to sectors with high reliance on LinkedIn for recruitment and professional networking, such as finance, retail, and technology. Successful compromise can lead to credential theft, unauthorized access to corporate networks, data exfiltration, and potential disruption of business operations. The use of AWS-hosted payloads may bypass traditional perimeter defenses, increasing the risk of undetected infiltration. Additionally, the modular nature of More_eggs malware allows attackers to adapt their tactics post-compromise, potentially leading to prolonged presence and further exploitation. Given Europe's stringent data protection regulations like GDPR, a breach involving personal or financial data could result in severe regulatory penalties and reputational damage. The social engineering vector targeting employees also highlights the risk of insider threats and the need for heightened awareness and training. Organizations with remote or hybrid workforces may be particularly vulnerable due to increased reliance on digital communication and professional networking platforms.

European organizations should implement multi-layered defenses tailored to this threat vector. Specific recommendations include: 1) Enhancing email and LinkedIn message filtering to detect and quarantine suspicious attachments or links, especially those pointing to cloud-hosted content; 2) Deploying advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with More_eggs malware, such as unusual process executions or network communications; 3) Conducting targeted security awareness training focused on recognizing social engineering tactics involving professional networking sites and fake resumes; 4) Implementing strict access controls and multi-factor authentication (MFA) for all corporate accounts to limit the impact of credential theft; 5) Monitoring AWS-hosted URLs and domains accessed within the corporate network for signs of malicious activity; 6) Collaborating with LinkedIn and AWS security teams to report and take down malicious profiles and hosted content; 7) Regularly reviewing and updating incident response plans to address cloud-hosted malware delivery scenarios; 8) Utilizing threat intelligence feeds to stay informed about emerging FIN6 tactics and Indicators of Compromise (IOCs). These measures go beyond generic advice by focusing on the unique delivery mechanism and malware characteristics of this campaign.