Hackers Exploit Fake Resumes to Steal Enterprise Credentials and Deploy Cryptocurrency Miners
March 24, 2026 – By Ravie Lakshmanan
A sophisticated phishing campaign is currently targeting French-speaking corporate environments by distributing fake resumes designed to steal enterprise credentials and deploy cryptocurrency mining malware. Cybersecurity researchers from Securonix have uncovered this operation, which employs highly obfuscated Visual Basic Script (VBScript) files disguised as resume or CV documents.
The FAUX#ELEVATE Campaign
Dubbed FAUX#ELEVATE by Securonix, the campaign blends credential theft, data exfiltration, and cryptocurrency mining into a swift, highly evasive attack chain. The malware toolkit is notably complex and leverages legitimate services and infrastructure to evade detection and boost the attack’s effectiveness.
How the Attack Works
The attack begins with a phishing email containing a malicious VBScript file masquerading as a resume. When opened, this script displays a fake French-language error message, tricking victims into believing the file is corrupted and thus avoiding suspicion. Meanwhile, the hidden script initiates multiple evasion techniques, including sandbox detection and a persistent User Account Control (UAC) loop that prompts users to run the script with administrative privileges.
Surprisingly, the script contains 224,471 lines, but only 266 lines are actual executable code. The remaining lines are filled with distracting junk comments to inflate the file size to about 9.7 MB, further complicating analysis.
Once administrative rights are granted, the dropper disables security measures by:
- Configuring Microsoft Defender exclusion paths on all primary drive letters (C through I)
- Disabling UAC through registry modifications
- Deleting the original dropper script to cover its tracks
Use of Legitimate Platforms and Domain-Join Safeguards
The attackers are abusing legitimate platforms for different stages of their operation:
- Dropbox is used to host payload archives.
- Moroccan WordPress sites serve as command-and-control (C2) servers, hosting mining configurations.
- mail[.]ru SMTP infrastructure is exploited to exfiltrate stolen credentials and desktop files.
The campaign only targets domain-joined enterprise machines using Windows Management Instrumentation (WMI) to avoid infecting standalone home computers, focusing efforts on high-value corporate targets.
Payload Components
After gaining a foothold, the malware retrieves two password-protected 7-Zip archives from Dropbox:
- gmail2.7z: Contains executables for stealthy data theft and Monero cryptocurrency mining.
- gmail_ma.7z: Includes tools for maintaining persistence and cleaning up traces.
Key tools identified in the campaign include:
- ChromElevator-based component: Extracts complex browser credentials and data from Chromium-based browsers by bypassing app-bound encryption (ABE).
- mozilla.vbs: A VBScript payload targeting Mozilla Firefox profiles and credentials.
- walls.vbs: Used for desktop file exfiltration.
- mservice.exe: An XMRig cryptocurrency miner configured via a compromised Moroccan WordPress site.
- WinRing0x64.sys: A legitimate Windows kernel driver exploited to unlock the CPU’s full potential for mining.
- RuntimeHost.exe: A persistent Trojan that modifies Windows Firewall rules and maintains communication with the C2 server.
Data Exfiltration and Cleanup
Data stolen from browsers is exfiltrated through two mail[.]ru sender accounts sharing credentials, sending information to an email account operated by the attackers at Duck.com.
After successfully stealing credentials and deploying the miner, the malware aggressively cleans up its tools to minimize forensic evidence, leaving behind only the cryptocurrency miner and Trojan components.
Why This Campaign Is Particularly Dangerous
According to Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee, FAUX#ELEVATE exemplifies a highly organized and multi-stage attack operation combining multiple advanced tactics in one infection chain.
The entire exploitation process—from initial VBScript execution to credential exfiltration and miner deployment—completes in approximately 25 seconds. Its selective targeting of domain-joined machines ensures that compromised hosts are valuable, providing access to corporate credentials and resources while remaining stealthy enough to evade many defenses.
Recommendations for Enterprises
Security teams are urged to remain vigilant against phishing campaigns leveraging seemingly innocuous files such as resumes. Limiting the use of scripting files like VBScript, employing robust email filtering, and monitoring for anomalous privileged executions can help reduce the risk. Additionally, employing endpoint detection tools that recognize living-off-the-land techniques and enforcing strict application and privilege policies is crucial to thwarting such attacks.
For continued updates on emerging threats and cybersecurity news, follow us on Google News, Twitter, and LinkedIn.
About the Author: Ravie Lakshmanan is a cybersecurity journalist covering malware, threat intelligence, and endpoint security developments worldwide.
Tags: Credential Theft, Cryptomining, Malware, Phishing, Enterprise Security, VBScript, Cyber Attack, Threat Intelligence