{ "id": "f59a905e-5dd7-4b59-8325-38ad38d268bf", "created_at": "2026-04-06T00:06:50.462635Z", "updated_at": "2026-04-10T03:36:08.320612Z", "deleted_at": null, "sha1_hash": "0ab0020c7faee12247c869278fe587dce4a4f9b7", "title": "TA4557 Launches Targeted Recruitment Scam via Email | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 683274, "plain_text": "TA4557 Launches Targeted Recruitment Scam via Email |\r\nProofpoint US\r\nBy Kelsey Merriman, Selena Larson, and Xavier Chambrier\r\nPublished: 2023-12-07 · Archived: 2026-04-05 15:15:14 UTC\r\nWhat happened \r\nSince at least October 2023, TA4557 began using a new technique of targeting recruiters with direct emails that\r\nultimately lead to malware delivery. The initial emails are benign and express interest in an open role. If the target\r\nreplies, the attack chain commences.  \r\nPreviously, throughout most of 2022 and 2023, TA4557 typically applied to existing open job listings purporting\r\nto be a job applicant. The actor included malicious URLs, or files containing malicious URLs, in the application.\r\nNotably, the URLs were not hyperlinked and the user would have to copy and paste the URL text to visit the\r\nwebsite.  The legitimate job hosting sites would then generate and send email notifications to the prospective\r\nemployers who posted the positions. \r\nIn recently observed campaigns, TA4557 used both the new method of emailing recruiters directly as well as the\r\nolder technique of applying to jobs posted on public job boards to commence the attack chain. \r\nSpecifically in the attack chain that uses the new direct email technique, once the recipient replies to the initial\r\nemail, the actor was observed responding with a URL linking to an actor-controlled website posing as a candidate\r\nresume. Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to\r\nvisit the fake resume website. \r\nExample initial outreach email by TA4557 to inquire about a job posting. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email\r\nPage 1 of 5\n\nExample follow up email containing a URL linking to a fake resume website. \r\nVery notably, in campaigns observed in early November 2023, Proofpoint observed TA4557 direct the recipient to\r\n“refer to the domain name of my email address to access my portfolio” in the initial email instead of sending the\r\nresume website URL directly in a follow up response. This is likely a further attempt to evade automated detection\r\nof suspicious domains. \r\nEmail purporting to be from a candidate directing the recipient to visit the domain in an email address. \r\nIf the potential victims visit the “personal website” as directed by the threat actor, the page mimics a candidate’s\r\nresume or job site for the candidate (TA4557) applying for a posted role. The website uses filtering to determine\r\nwhether to direct the user to the next stage of the attack chain. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email\r\nPage 2 of 5\n\nExample of a fake candidate website operated by TA4557 that leads to download of a zip attachment.  \r\nIf the potential victim does not pass the filtering checks, they are directed to a page containing a resume in plain\r\ntext. Alternatively, if they pass the filtering checks, they are directed to the candidate website. The candidate\r\nwebsite uses a CAPTCHA which, if completed, will initiate the download of a zip file containing a shortcut file\r\n(LNK). The LNK, if executed, abuses legitimate software functions in \"ie4uinit.exe\" to download and execute a\r\nscriptlet from a location stored in the \"ie4uinit.inf\" file. This technique is commonly referred to as \"Living Off\r\nThe Land\" (LOTL).  \r\nThe scriptlet decrypts and drops a DLL in the %APPDATA%\\Microsoft folder. Next, it attempts to create a new\r\nregsrv32 process to execute the DLL using Windows Management Instrumentation (WMI) and, if that fails, tries\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email\r\nPage 3 of 5\n\nan alternative approach using the ActiveX Object Run method. \r\nThe DLL employs anti-sandbox and anti-analysis techniques. It incorporates a loop specifically designed to\r\nretrieve the RC4 key necessary for deciphering the More_Eggs backdoor. This loop is strategically crafted to\r\nextend its execution time, enhancing its evasion capabilities within a sandbox environment. Furthermore, the DLL\r\nemploys multiple checks to determine if it is currently being debugged, utilizing the NtQueryInformationProcess\r\nfunction. \r\nThe DLL drops the More_Eggs backdoor along with the MSXSL executable. Subsequently, it initiates the creation\r\nof the MSXSL process using the WMI service. Once completed, the DLL deletes itself. More_Eggs can be used to\r\nestablish persistence, profile the machine, and drop additional payloads. \r\nAttribution \r\nProofpoint has been tracking TA4557 since 2018 as a skilled, financially motivated threat actor known to\r\ndistribute the More_Eggs backdoor capable of profiling the endpoint and sending additional payloads. \r\nTA4557 is notably different from other priority threat actors tracked by Proofpoint due to the unique tool and\r\nmalware usage, campaign targeting, use of job candidate-themed lures, sophisticated evasive measures employed\r\nto prevent detection, distinct attack chains, and the actor-controlled infrastructure.   \r\nActivity attributed to TA4557 has historically overlapped with activity associated to cybercrime group FIN6 by\r\nthird parties in external reporting. The malware suite used by TA4557 has also been observed to be used by the\r\ncybercrime groups Cobalt Group and Evilnum, and Proofpoint tracks these as distinct activity clusters which are\r\nnot often observed in Proofpoint threat data.  \r\nWhy it matters \r\nTA4557 demonstrates sophisticated social engineering and tailors their lures to specific, legitimate job\r\nopportunities posted online. The tone and content of the emails suggest to the recipient the actor is a legitimate\r\ncandidate, and because the actor specifically targets people who are involved in recruiting and hiring, the emails\r\ndo not immediately seem suspicious.  \r\nProofpoint has seen an increase in threat actors using benign messages to build trust and engage with a target\r\nbefore sending the malicious content, and TA4557 adopting this technique may convince recipients to be more\r\ntrusting of the interaction and subsequent content shared with them. Additionally, the group is regularly changing\r\ntheir sender emails, fake resume domains, and infrastructure. This is done alongside building rapport with the\r\ntarget before sending a payload and poses a problem for defenders and automated security tools as it can be\r\ndifficult to detect the content as malicious. \r\nOrganizations that use third-party job posting websites should be aware of this actor’s tactics, techniques, and\r\nprocedures (TTPs) and educate employees, especially those in recruiting and hiring functions, about this threat.   \r\nExample Emerging Threats signatures \r\n2852061 – ETPRO MALWARE Possible More_eggs Landing Page - Fake Resume/Profile Site \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email\r\nPage 4 of 5\n\n2850476 – ETPRO MALWARE More_eggs CnC Activity  \r\nIndicators of compromise \r\nIndicator   Description \r\nwlynch\\.com  Domain \r\n9d9b38dffe43b038ce41f0c48def56e92dba3a693e3b572dbd13d5fbc9abc1e4  SHA256 \r\n6ea619f5c33c6852d6ed11c52b52589b16ed222046d7f847ea09812c4d51916d  SHA256 \r\nannetterawlings\\.com  Domain \r\n010b72def59f45662150e08bb80227fe8df07681dcf1a8d6de8b068ee11e0076  SHA256 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email" ], "report_names": [ "security-brief-ta4557-targets-recruiters-directly-email" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434010, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ab0020c7faee12247c869278fe587dce4a4f9b7.pdf", "text": "https://archive.orkl.eu/0ab0020c7faee12247c869278fe587dce4a4f9b7.txt", "img": "https://archive.orkl.eu/0ab0020c7faee12247c869278fe587dce4a4f9b7.jpg" } }