TA4557 [1] [2] [3] [4] [5] [6] [7] [8] [9], a financially motivated threat actor [5] [7] [9], has been targeting recruiters with malware-laden emails since at least October 2023. They have recently adopted a new technique of directly emailing recruiters and applying to jobs on public job boards [9]. This article provides a detailed description of their attack tactics and the risks they pose.


TA4557 initiates contact with recruiters by expressing interest in an open role. If the target responds [9], the attack chain is set in motion. They provide a URL or attachment posing as a candidate resume [3] [4], directing the recipient to visit a fake resume website. To avoid detection, they sometimes refer to the domain name of their email address [3] [4] [9]. If the recipient visits the website [2] [3] [9], it mimics a candidate’s resume or job site and uses filtering to determine the next stage of the attack [9]. If the victim passes the filtering checks [9], they are directed to a CAPTCHA page that triggers the download of a zip file containing a shortcut file [2] [4] [9]. This shortcut file exploits legitimate software functions to download and execute a scriptlet [3] [4] [9], which drops a DLL in the %APPDATA%\Microsoft folder [3] [4] [9]. The DLL employs anti-sandbox and anti-analysis techniques and deploys the MoreEggs backdoor along with the MSXSL executable [9]. TA4557 is known for using the MoreEggs backdoor to establish persistence [9], profile the machine [9], and deliver additional payloads [4] [9]. They employ sophisticated social engineering techniques and tailor their lures to specific job opportunities [8] [9].

Proofpoint [2] [3] [4] [5] [6] [8] [9], a cybersecurity company [6], has been monitoring TA4557 since 2018 and has identified their unique tool and malware usage, campaign targeting [4] [9], and distinct attack chains [8] [9]. While there are overlaps with cybercrime groups FIN6 [9], Cobalt Group [1] [8] [9], and Evilnum [8] [9], TA4557 is tracked as a separate activity cluster. Detecting their malicious content is challenging due to their frequent changes in sender emails, fake resume domains [3] [4] [8] [9], and infrastructure [3] [4] [8] [9]. The campaign poses high risks of financial data theft and potentially intellectual property theft [6]. Organizations using third-party job postings should be aware of TA4557’s tactics [2] [7], as they have observed an increase in threat actors using benign messages to build trust before sending malicious content [2].


TA4557 is now targeting hiring managers and recruiters with a new campaign to spread the “moreeggs” backdoor malware [1]. They employ sophisticated social engineering tactics and bypass secure email gateways by directing victims to attacker-controlled websites. The moreeggs backdoor is a malware-as-a-service offering used by Russian cyber gangs FIN6 and Cobalt Group [1]. To protect against this threat [5], it is advised to educate individuals involved in hiring processes about social engineering techniques [5], avoid opening suspicious documents or clicking on suspicious links [5], deploy security solutions on all endpoints [5], analyze email content for anomalies [5], and keep operating systems and software up to date and patched [5]. Recruiters should update their user awareness training to mitigate the threat posed by TA4557 [3] [4].


[1] https://www.scmagazine.com/news/hiring-new-scam-campaign-means-resume-downloads-may-contain-malware
[2] https://www.csoonline.com/article/1257289/new-malware-is-using-direct-emails-to-hunt-the-head-hunters.html
[3] https://www.infosecurity-magazine.com/news/threat-actor-targets-recruiters/
[4] https://ciso2ciso.com/threat-actor-targets-recruiters-with-malware-source-www-infosecurity-magazine-com/
[5] https://www.itscnews.com/attack/proofpoint-exposes-sophisticated-social-engineering-attack-on-recruiters-that-infects-their-computers-with-malware/
[6] https://www.techrepublic.com/article/proofpoint-research-ta4557-threat/
[7] https://www.jsplaces.com/cso-online/12/12/2023/new-malware-is-using-direct-emails-to-hunt-the-head-hunters/
[8] https://securityonline.info/threat-group-ta4557-exploits-recruiters-for-malware-delivery/
[9] https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email