FIN6 Skeleton Spider Escalates Enterprise Threats with More_eggs Campaigns

Threat Group: Skeleton Spider (aka FIN6, Gold Franklin, ITG08, TAAL, Camouflage Tempest, ATK88, MageCart Group 6, TA4557, White Giant)
Threat Type: Cybercrime Syndicate
Exploited Vulnerabilities: Credential theft, social engineering, cloud abuse (AWS, GoDaddy), PoS exploitation (historical)
Malware Used: More_eggs (MaaS by Golden Chickens/Venom Spider), historical: Trinity, FrameworkPOS, Ryuk, LockerGoga
Threat Score: 🔴 High (8.3/10) – Due to advanced social engineering tactics, evasive malware, use of legitimate services for obfuscation, and ransomware monetization pathways
Last Threat Observation: June 12, 2025
Overview
Skeleton Spider (FIN6) has evolved from targeting retail Point-of-Sale (PoS) systems to executing highly strategic social engineering campaigns aimed at HR professionals. Using trusted platforms like LinkedIn and Indeed, FIN6 deceives recruiters into manually visiting malicious resume sites hosted on AWS, which deliver the More_eggs malware via obfuscated ZIP/LNK chains. Their tactics now include CAPTCHA challenges, environmental detection for evasion, and living-off-the-land binaries for stealth. Organizations must adopt behavior-based detection, strong MFA, user training, and proactive threat hunting to counter this adaptive threat.
Introduction to FIN6 (Skeleton Spider)
Aliases and Historical Evolution
FIN6 has been tracked under various aliases and evolved operationally since 2014. Originally focusing on payment card data theft from PoS systems using malware like Trinity and FrameworkPOS, they later pivoted to Magecart-style e-skimming and, more recently, ransomware campaigns leveraging Ryuk and LockerGoga. They are associated with MITRE ATT&CK ID G0037.
Motivations and Target Sectors
FIN6 is financially motivated. Their campaigns have broadened from retail and hospitality to include HR departments across industries. The group's strategy now involves initial social engineering, credential theft, and lateral movement, with ransomware used as a secondary extortion layer.
Common Name | MITRE ID | Aliases |
---|---|---|
FIN6 | G0037 | Skeleton Spider, Gold Franklin, ITG08, TAAL, Camouflage Tempest, ATK88, MageCart Group 6, TA4557, White Giant |
Detailed Analysis of Recent Campaigns
Initial Contact
FIN6 creates fake job seeker profiles and engages HR targets on professional platforms. After trust-building, they deliver phishing emails containing non-clickable resume URLs.
Email Crafting
Emails are constructed to avoid automated security tools by instructing the user to manually enter URLs into browsers. These URLs mimic applicant portfolios hosted on AWS, often registered via GoDaddy with fake names.
Malware Delivery Chain
After CAPTCHA and environment checks, a ZIP file downloads a .LNK shortcut that executes JavaScript via wscript.exe. This launches More_eggs, which operates in-memory, evades detection, and establishes persistence through regsvr32.exe and logon scripts.
Technical Deep Dive: More_eggs
Capabilities
- Credential theft
- Active Directory reconnaissance
- Network discovery and data exfiltration
- Download and execution of additional payloads
Golden Chickens (Venom Spider)
More_eggs is a Malware-as-a-Service product developed by Golden Chickens. FIN6 licenses it, focusing instead on social engineering and exploitation.
Persistence
- Uses ie4uinit.exe, msxsl.exe, regsvr32.exe
- DLL injection
- Operates in memory with anti-debug/sandbox features
Obfuscation and Evasion
- AWS (CloudFront/S3) and GoDaddy domains
- CAPTCHA gates and human verification filters
- Non-hyperlinked links to bypass email scanners
- Geolocation filtering and browser fingerprinting
- Encrypted payloads and string obfuscation in scripts
Indicators of Compromise (IoCs)
MD5 Hashes
3dcf695a66e4cbfae5bca8a66b792457
54417a84f8cd4566145a30a25edf92f7
SHA1 Hashes
5c32b2c05d0a026d7f7757486796f5853ac3c255
6447dfeac176d78fd9e81de715af1c1f1914231e
SHA256 Hashes
14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc
8b67eb5c3586b427fd71310c1a0e6c92c35497342afcc0533e5bd97b7b572185
9f940783a6bbeaca52308b32e7bc0060222f3705c2db2ab00f59c6615e5e577f
c2c40859f5d589538b6c16d654373b696c48e0be9092b56a57d2cf6ce768e1fe
IP Addresses
208[.]109[.]231[.]95
URLs
hxxp://93f4f4[.]bobbyweisman[.]com/kakfgar
hxxp://bobbyweisman[.]com
hxxp://bobbyweisman[.]com/index.html
hxxps://6f4922f4[.]bobbyweisman[.]com/brake/
hxxps://tool[.]municipiodechepo[.]org/id/
Domains
bobbyweisman[.]com
alanpower[.]net
annalanyi[.]com
bobbybradley[.]net
davidlesnick[.]com
edwarddhall[.]com
emersonkelly[.]com
kimberlykamara[.]com
lorinash[.]com
malenebutler[.]com
ryanberardi[.]com
Hostnames
6f4922f4[.]bobbyweisman[.]com
93f4f4[.]bobbyweisman[.]com
tool[.]municipiodechepo[.]org
Impact and Monetization
Historical Revenue Models
- PoS theft → card sale
- Magecart JavaScript skimming
- Ransomware (Ryuk, LockerGoga)
Credential Monetization
Stolen credentials facilitate broader access and extortion operations, sometimes sold or exchanged for other access kits.
Mitigation and Prevention
- User Awareness: HR-specific phishing recognition training
- Security Stack: EDRs monitoring wscript, regsvr32, LNK execution
- MFA: Phishing-resistant 2FA
- Log Monitoring: Anomalous domain lookups, AWS traffic analysis
- Patching: Apply OS and software updates regularly
- Network Design: Segment HR systems; apply least privilege
Risk Assessment
Score Justification
- Sophisticated deception
- Abuse of cloud/CDN infrastructure
- Use of MaaS malware with in-memory persistence
- Credential and ransomware monetization models
Industry Risks
- All organizations with HR departments are potential targets
- Outsourced HR poses third-party risk
Conclusion
Skeleton Spider (FIN6) exemplifies the modern, modular cybercrime threat. From technical PoS attacks to advanced HR-targeted social engineering, they have evolved with the times. Their abuse of legitimate cloud services, adoption of memory-resident malware, and proactive evasion tactics demand vigilance, behavioral detection, and human-focused security culture as the cornerstone of defense.
Sources:
- BleepingComputer - FIN6 hackers pose as job seekers to backdoor recruiters’ devices
- The Hacker News - FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware
- OTX AlienVault - Indicators Of Compromise (IoXs)