Ethical Hacking News
A new phishing campaign, dubbed FAUX#ELEVATE, has been discovered by threat intelligence experts at Securonix. The attack targets French-speaking corporate environments with malicious resumes that combine credential theft, data exfiltration, and Monero cryptocurrency mining for maximum monetization. This is an example of a living-off-the-land-style attack that raises the bar on how attackers can trick defense mechanisms and sneak their way into the target's system without attracting much attention.
Threat Intelligence experts at Securonix discovered a sophisticated phishing campaign, FAUX#ELEVATE, targeting French-speaking corporate environments with malicious resumes. The attack uses highly obfuscated VBScript files disguised as resume/CV documents delivered through phishing emails. The malware deploys a multi-purpose toolkit for credential theft, data exfiltration, and Monero cryptocurrency mining. The campaign uses legitimate services and infrastructure, such as Dropbox and Moroccan WordPress sites, to stage payloads and host command-and-control servers. The attack is a living-off-the-land-style attack that tricks defense mechanisms and sneaks into the target's system without attracting attention. The dropper file displays a bogus error message to fool users into running it with administrator privileges. Only 266 lines of code out of 224,471 contain actual executable code in the script. The malware uses domain-join gate using WMI to deliver payloads only on enterprise machines and excludes standalone home systems.
Threat Intelligence experts at Securonix have discovered a sophisticated phishing campaign, dubbed FAUX#ELEVATE, which targets French-speaking corporate environments with malicious resumes. The attack uses highly obfuscated VBScript files disguised as resume/CV documents, delivered through phishing emails. Upon execution, the malware deploys a multi-purpose toolkit that combines credential theft, data exfiltration, and Monero cryptocurrency mining for maximum monetization.
The campaign is noteworthy for its use of legitimate services and infrastructure, such as Dropbox for staging payloads, Moroccan WordPress sites for hosting command-and-control (C2) configuration, and mail[.]ru SMTP infrastructure for exfiltrating stolen browser credentials and desktop files. This is an example of a living-off-the-land-style attack that raises the bar on how attackers can trick defense mechanisms and sneak their way into the target's system without attracting much attention.
The initial dropper file is a Visual Basic Script (VBScript) that, upon opening, displays a bogus French-language error message, fooling message recipients into thinking that the file is corrupted. However, what happens behind the scenes is that the heavily obfuscated script runs a series of checks to evade sandboxes and enters into a persistent User Account Control (UAC) loop that prompts users to run it with administrator privileges.
Notably, out of the script's 224,471 lines, only 266 lines contain actual executable code. The rest of the script is filled with junk comments featuring random English sentences, inflating the size of the file to 9.7MB.
The malware also uses a domain-join gate using WMI (Windows Management Instrumentation), ensuring that payloads are only delivered on enterprise machines, and standalone home systems are excluded entirely.
As soon as the dropper obtains administrative privileges, it wastes no time disabling security controls and covering up its tracks by configuring Microsoft Defender exclusion paths for all primary drive letters (from C to I), disabling UAC via a Windows Registry change, and deleting itself.
Among the tools used to facilitate credential theft is a component that leverages the ChromElevator project to extract sensitive data from Chromium-based browsers by getting around app-bound encryption (ABE) protections. Some of the other tools include -
Related Information:
https://www.ethicalhackingnews.com/articles/The-FAUXELEVATE-Campaign-A-Living-Off-The-Land-Phishing-Attack-that-Exploits-Enterprise-Credentials-ehn.shtml
https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html
https://www.microsoft.com/en-us/security/blog/2025/12/11/imposter-for-hire-how-fake-people-can-gain-very-real-access/
Published: Tue Mar 24 11:56:54 2026 by llama3.2 3B Q4_K_M
