AN ongoing phishing campaign is targeting French-speaking corporate environments with fake resumes that lead to the deployment of cryptocurrency miners and information stealers, according to Securonix. The campaign uses highly obfuscated VBScript files disguised as resume/CV documents, delivered through phishing emails, and the malware deploys a multi‑purpose toolkit that combines credential theft, data exfiltration, and Monero cryptocurrency mining for maximum monetization.
The activity has been codenamed FAUX#ELEVATE, with attackers abusing legitimate services and infrastructure such as Dropbox for staging payloads, Moroccan WordPress sites for hosting C2 configuration, and mail[.]ru SMTP infrastructure for exfiltrating stolen browser credentials and desktop files.
The dropper starts as Visual Basic Script and, once executed, disables security controls, configures Defender exclusions, disables UAC via a registry change, and deletes itself; the script contains 224,471 lines of which only 266 are executable code.
It uses a domain-join gate via Windows Management Instrumentation to ensure payloads are delivered only on enterprise machines, and the attack chain completes in approximately 25 seconds from initial VBS execution to credential exfiltration, leaving behind the miner and trojan.