Sophisticated Phishing Campaign Targets French Corporations with Malware Disguised as Fake Resumes

In a chilling demonstration of modern cyber warfare, threat actors have launched an elaborate phishing campaign specifically targeting French-speaking corporate environments. This attack, meticulously crafted to bypass traditional security measures, leverages the universal language of employment—the resume—to deliver a devastating payload of cryptocurrency miners and information stealers.

The Anatomy of FAUX#ELEVATE: A Masterclass in Social Engineering

Cybersecurity researchers at Securonix have uncovered this sophisticated operation, codenamed FAUX#ELEVATE, which represents a significant evolution in phishing tactics. The campaign’s brilliance lies in its exploitation of legitimate services and infrastructure, creating a living-off-the-land attack that raises the bar for corporate cybersecurity defenses.

The attack begins with what appears to be a standard job application—a Visual Basic Script (VBScript) file disguised as a resume or CV document. These files are delivered through carefully crafted phishing emails that have already proven successful in penetrating corporate email systems across French-speaking business sectors.

The Deception: A 9.7MB Trojan Horse

What makes this campaign particularly insidious is the sheer scale of deception employed. The malicious VBScript file contains a staggering 224,471 lines of code, but here’s the catch: only 266 lines contain actual executable code. The remaining 224,205 lines consist of random English sentences and comments, artificially inflating the file to 9.7MB.

This massive size serves multiple purposes. First, it creates the illusion of a legitimate, complex document. Second, it helps the malware evade detection by overwhelming traditional security scanning mechanisms. Third, when executed, the script displays a French-language error message stating that the file is corrupted—a clever misdirection that convinces victims the document failed to open while the malware silently executes in the background.

The Persistence Loop: Demanding Administrative Access

Once the victim attempts to open the “corrupted” file, the malware initiates a sophisticated persistence mechanism. It enters a User Account Control (UAC) loop, repeatedly prompting users to grant administrator privileges. This social engineering tactic exploits the natural human tendency to comply with system requests, especially when they appear to be legitimate error messages.

The malware also implements a domain-join gate using Windows Management Instrumentation (WMI), ensuring that its malicious payloads are only delivered to enterprise machines connected to corporate domains. This selective targeting demonstrates the attackers’ strategic focus on maximizing their return on investment by exclusively targeting corporate environments where valuable credentials and computing resources are available.

Disabling Defenses: A Surgical Strike on Security

Upon obtaining administrative privileges, the malware executes a rapid and comprehensive security neutralization protocol. It configures Microsoft Defender exclusion paths for all primary drive letters (C through I), effectively blinding Windows’ built-in antivirus to its activities. The malware then disables User Account Control (UAC) through a Windows Registry modification, eliminating future security prompts that might alert the user.

In a final act of digital self-preservation, the malware deletes itself from the system, leaving behind only the carefully selected tools it has deployed. This cleanup operation is designed to minimize forensic footprints and complicate incident response efforts.

The Multi-Tool Arsenal: Credential Theft and Cryptocurrency Mining

The campaign’s true power lies in its multi-faceted approach to monetization. The malware fetches two password-protected 7-Zip archives from Dropbox, each containing specialized tools for different aspects of the attack:

Gmail2.7z contains:

• Data-stealing executables
• Cryptocurrency mining software
• Various credential harvesting tools

Gmail_ma.7z contains:

• Persistence mechanisms
• Cleanup utilities
• Additional attack infrastructure

Among the most concerning tools is a component leveraging the ChromElevator project, which extracts sensitive data from Chromium-based browsers by circumventing app-bound encryption (ABE) protections. This represents a significant advancement in browser data theft techniques, as ABE was specifically designed to prevent exactly this type of unauthorized access.

The Browser Data Heist

The malware employs multiple specialized tools for comprehensive browser data extraction:

• mozilla.vbs: A VBScript payload designed to steal Mozilla Firefox profiles and credentials
• walls.vbs: Another VBScript component focused on desktop file exfiltration
• ChromElevator-based tools: Advanced mechanisms for bypassing Chrome’s security protections

This multi-browser approach ensures that regardless of which web browser the victim uses, their sensitive data remains vulnerable to theft.

The Cryptocurrency Mining Operation

The attack chain includes mservice.exe, an XMRig cryptocurrency miner that represents the campaign’s profit-generating component. Once deployed, this miner retrieves its configuration from a compromised Moroccan WordPress site, demonstrating the attackers’ global infrastructure and their ability to exploit vulnerable web services worldwide.

To maximize mining efficiency, the malware employs WinRing0x64.sys, a legitimate Windows kernel driver that unlocks the CPU’s full mining potential. This driver-level access allows the malware to operate at maximum performance, generating cryptocurrency at rates that would be impossible without administrative privileges.

The Persistent Trojan Component

RuntimeHost.exe serves as the campaign’s persistent foothold within compromised systems. This component modifies Windows Firewall rules to ensure uninterrupted communication with command-and-control (C2) servers and periodically communicates with its operators to maintain control over infected machines.

The Exfiltration Infrastructure

The campaign’s data exfiltration infrastructure is equally sophisticated. Using two separate mail[.]ru sender accounts (“[email protected]” and “[email protected]”) that share the same password, the malware transmits stolen browser credentials and desktop files to a duck.com address operated by the threat actors (“[email protected]”).

This use of legitimate email infrastructure for exfiltration demonstrates the attackers’ understanding of how to blend malicious traffic with normal network activity, making detection significantly more challenging.

The Cleanup Operation

Once credential theft and exfiltration are complete, the malware initiates an aggressive cleanup operation. It systematically removes all dropped tools, leaving behind only the cryptocurrency miner and persistent trojan components. This final step is crucial for maintaining long-term access to the compromised system while minimizing the chances of detection through forensic analysis.

The Speed Factor: 25 Seconds to Compromise

What makes FAUX#ELEVATE particularly dangerous is the speed of execution. From the initial VBScript execution to complete credential exfiltration, the entire infection chain completes in approximately 25 seconds. This rapid deployment leaves security teams with minimal opportunity to detect and respond to the attack.

Technical Sophistication and Infrastructure Abuse

The campaign’s technical sophistication is evident in its abuse of legitimate services:

• Dropbox: Used for staging and delivering malicious payloads
• Moroccan WordPress sites: Hosting command-and-control configuration
• mail[.]ru SMTP infrastructure: Facilitating credential exfiltration
• Legitimate kernel drivers: Enhancing mining performance

This infrastructure abuse represents a significant challenge for security teams, as blocking these legitimate services could impact normal business operations.

Enterprise Impact and Selective Targeting

The FAUX#ELEVATE campaign’s selective targeting of domain-joined machines ensures that every compromised host provides maximum value through corporate credential theft and persistent resource hijacking. This strategic focus on enterprise environments demonstrates the attackers’ understanding of where the most valuable assets are located.

The Living-off-the-Land Evolution

This campaign represents a significant evolution in living-off-the-land attack techniques. By abusing legitimate services and infrastructure, the attackers have created a threat that is exceptionally difficult to detect and block without disrupting normal business operations.

Security Implications and Defense Strategies

The FAUX#ELEVATE campaign highlights several critical security implications:

1. Email security remains the primary attack vector for corporate environments
2. Traditional antivirus solutions may be insufficient against sophisticated, multi-stage attacks
3. User awareness training is crucial but may not prevent all successful attacks
4. Network segmentation and monitoring are essential for containing lateral movement
5. Regular security audits can help identify and remove persistent threats

Conclusion: A Wake-Up Call for Corporate Security

The FAUX#ELEVATE campaign serves as a stark reminder of the evolving threat landscape facing corporate environments. Its combination of social engineering, technical sophistication, rapid execution, and infrastructure abuse creates a threat that is exceptionally difficult to defend against using traditional security measures.

Organizations must adopt a multi-layered security approach that includes advanced email filtering, endpoint detection and response (EDR) solutions, network monitoring, user training, and regular security assessments. Only through comprehensive security strategies can businesses hope to defend against increasingly sophisticated threats like FAUX#ELEVATE.

Tags

Phishing campaign, cryptocurrency mining, information stealer, VBScript malware, French corporations, living-off-the-land attack, Dropbox abuse, SMTP exfiltration, XMRig miner, Chrome data theft, enterprise targeting, rapid infection, security bypass, malware persistence, credential harvesting, social engineering, Windows Management Instrumentation, Microsoft Defender bypass, kernel driver abuse, command-and-control infrastructure, forensic cleanup, domain-join targeting, browser credential theft, malware obfuscation, 25-second infection, legitimate service abuse

Viral Phrases

“25 seconds to complete compromise”
“9.7MB of deception hiding 266 lines of malware”
“French resume phishing campaign”
“Cryptocurrency mining at the kernel level”
“Living-off-the-land attack evolution”
“Domain-join gate ensures enterprise targeting”
“Microsoft Defender blinded by exclusion paths”
“Legitimate Dropbox used for malware delivery”
“SMTP infrastructure turned into exfiltration channel”
“Chrome’s app-bound encryption defeated”
“VBScript file with 224,471 lines of junk”
“User Account Control loop demands admin access”
“Moroccan WordPress site hosts mining config”
“Rapid cleanup leaves only miner and trojan”
“Social engineering meets technical sophistication”
“Enterprise credential theft on autopilot”
“Persistent foothold through RuntimeHost.exe”
“Forensic footprint minimized through aggressive cleanup”
“Speed of execution: 25 seconds to victory”
“Legitimate kernel driver unlocks CPU potential”

,