FIN6 Skeleton Spider Escalates Enterprise Threats with More_eggs Campaigns

FIN6 Skeleton Spider Escalates Enterprise Threats with More_eggs Campaigns

Threat Group: Skeleton Spider (aka FIN6, Gold Franklin, ITG08, TAAL, Camouflage Tempest, ATK88, MageCart Group 6, TA4557, White Giant)
Threat Type: Cybercrime Syndicate
Exploited Vulnerabilities: Credential theft, social engineering, cloud abuse (AWS, GoDaddy), PoS exploitation (historical)
Malware Used: More_eggs (MaaS by Golden Chickens/Venom Spider), historical: Trinity, FrameworkPOS, Ryuk, LockerGoga
Threat Score: 🔴 High (8.3/10) – Due to advanced social engineering tactics, evasive malware, use of legitimate services for obfuscation, and ransomware monetization pathways
Last Threat Observation: June 12, 2025


Overview

Skeleton Spider (FIN6) has evolved from targeting retail Point-of-Sale (PoS) systems to executing highly strategic social engineering campaigns aimed at HR professionals. Using trusted platforms like LinkedIn and Indeed, FIN6 deceives recruiters into manually visiting malicious resume sites hosted on AWS, which deliver the More_eggs malware via obfuscated ZIP/LNK chains. Their tactics now include CAPTCHA challenges, environmental detection for evasion, and living-off-the-land binaries for stealth. Organizations must adopt behavior-based detection, strong MFA, user training, and proactive threat hunting to counter this adaptive threat.


Introduction to FIN6 (Skeleton Spider)

Aliases and Historical Evolution

FIN6 has been tracked under various aliases and evolved operationally since 2014. Originally focusing on payment card data theft from PoS systems using malware like Trinity and FrameworkPOS, they later pivoted to Magecart-style e-skimming and, more recently, ransomware campaigns leveraging Ryuk and LockerGoga. They are associated with MITRE ATT&CK ID G0037.

Motivations and Target Sectors

FIN6 is financially motivated. Their campaigns have broadened from retail and hospitality to include HR departments across industries. The group's strategy now involves initial social engineering, credential theft, and lateral movement, with ransomware used as a secondary extortion layer.

Common NameMITRE IDAliases
FIN6G0037Skeleton Spider, Gold Franklin, ITG08, TAAL, Camouflage Tempest, ATK88, MageCart Group 6, TA4557, White Giant

Detailed Analysis of Recent Campaigns

Initial Contact

FIN6 creates fake job seeker profiles and engages HR targets on professional platforms. After trust-building, they deliver phishing emails containing non-clickable resume URLs.

Email Crafting

Emails are constructed to avoid automated security tools by instructing the user to manually enter URLs into browsers. These URLs mimic applicant portfolios hosted on AWS, often registered via GoDaddy with fake names.

Malware Delivery Chain

After CAPTCHA and environment checks, a ZIP file downloads a .LNK shortcut that executes JavaScript via wscript.exe. This launches More_eggs, which operates in-memory, evades detection, and establishes persistence through regsvr32.exe and logon scripts.


Technical Deep Dive: More_eggs

Capabilities

  • Credential theft
  • Active Directory reconnaissance
  • Network discovery and data exfiltration
  • Download and execution of additional payloads

Golden Chickens (Venom Spider)

More_eggs is a Malware-as-a-Service product developed by Golden Chickens. FIN6 licenses it, focusing instead on social engineering and exploitation.

Persistence

  • Uses ie4uinit.exe, msxsl.exe, regsvr32.exe
  • DLL injection
  • Operates in memory with anti-debug/sandbox features

Obfuscation and Evasion

  • AWS (CloudFront/S3) and GoDaddy domains
  • CAPTCHA gates and human verification filters
  • Non-hyperlinked links to bypass email scanners
  • Geolocation filtering and browser fingerprinting
  • Encrypted payloads and string obfuscation in scripts

Indicators of Compromise (IoCs)

MD5 Hashes

  • 3dcf695a66e4cbfae5bca8a66b792457
  • 54417a84f8cd4566145a30a25edf92f7

SHA1 Hashes

  • 5c32b2c05d0a026d7f7757486796f5853ac3c255
  • 6447dfeac176d78fd9e81de715af1c1f1914231e

SHA256 Hashes

  • 14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc
  • 8b67eb5c3586b427fd71310c1a0e6c92c35497342afcc0533e5bd97b7b572185
  • 9f940783a6bbeaca52308b32e7bc0060222f3705c2db2ab00f59c6615e5e577f
  • c2c40859f5d589538b6c16d654373b696c48e0be9092b56a57d2cf6ce768e1fe

IP Addresses

  • 208[.]109[.]231[.]95

URLs

  • hxxp://93f4f4[.]bobbyweisman[.]com/kakfgar
  • hxxp://bobbyweisman[.]com
  • hxxp://bobbyweisman[.]com/index.html
  • hxxps://6f4922f4[.]bobbyweisman[.]com/brake/
  • hxxps://tool[.]municipiodechepo[.]org/id/

Domains

  • bobbyweisman[.]com
  • alanpower[.]net
  • annalanyi[.]com
  • bobbybradley[.]net
  • davidlesnick[.]com
  • edwarddhall[.]com
  • emersonkelly[.]com
  • kimberlykamara[.]com
  • lorinash[.]com
  • malenebutler[.]com
  • ryanberardi[.]com

Hostnames

  • 6f4922f4[.]bobbyweisman[.]com
  • 93f4f4[.]bobbyweisman[.]com
  • tool[.]municipiodechepo[.]org

Impact and Monetization

Historical Revenue Models

  • PoS theft → card sale
  • Magecart JavaScript skimming
  • Ransomware (Ryuk, LockerGoga)

Credential Monetization

Stolen credentials facilitate broader access and extortion operations, sometimes sold or exchanged for other access kits.


Mitigation and Prevention

  • User Awareness: HR-specific phishing recognition training
  • Security Stack: EDRs monitoring wscript, regsvr32, LNK execution
  • MFA: Phishing-resistant 2FA
  • Log Monitoring: Anomalous domain lookups, AWS traffic analysis
  • Patching: Apply OS and software updates regularly
  • Network Design: Segment HR systems; apply least privilege

Risk Assessment

Score Justification

  • Sophisticated deception
  • Abuse of cloud/CDN infrastructure
  • Use of MaaS malware with in-memory persistence
  • Credential and ransomware monetization models

Industry Risks

  • All organizations with HR departments are potential targets
  • Outsourced HR poses third-party risk

Conclusion

Skeleton Spider (FIN6) exemplifies the modern, modular cybercrime threat. From technical PoS attacks to advanced HR-targeted social engineering, they have evolved with the times. Their abuse of legitimate cloud services, adoption of memory-resident malware, and proactive evasion tactics demand vigilance, behavioral detection, and human-focused security culture as the cornerstone of defense.


Sources: