In a world of digital-first hiring, every application, every message, and every resume opens a small window into your company.
We rely on platforms, automate workflows, and move faster than ever to find the right talent. But with that speed comes something few teams expect: risk.
What was once a simple part of day-to-day operations - reviewing a resume - has quietly become a point of vulnerability.
The Evolution of a Threat: How Resume-Based Attacks Have Grown
In recent years, cybercriminals have gradually adapted to new entry points created by cloud-based hiring platforms. What began as phishing emails impersonating recruiters or job listings has evolved into a more refined and targeted campaign: delivering malware through professional-looking resumes, often sent directly via LinkedIn or job portals like Indeed.
As early as 2023, attackers were impersonating recruiters to phish job seekers, often by embedding malicious links in fake interview invitations.
By late 2024, the direction shifted. Threat actors began posing as candidates, delivering malware disguised as portfolios or CVs through job platforms.
HR recruiters directly via LinkedIn messaging, delivering resumes hosted on cloud services like AWS, and deploying malware via manual downloads that evade most email filters.
This change in direction marks a turning point - weaponizing one of the most human-centered business processes: hiring.
The Current Tactic: LinkedIn Messages and Weaponized Resumes
In June 2025, multiple threat intelligence firms confirmed a rapidly evolving malware campaign targeting HR professionals. In this new wave, attackers pose as job applicants using LinkedIn or Indeed, sending authentic-looking connection requests and follow-up messages to recruiters or hiring managers.
These messages often include a brief introduction and a reference to a resume or portfolio hosted externally - but the attackers avoid sending a clickable link. Instead, they write out the domain name of a fake resume site (e.g., johnsmith-cv[.]com) and instruct the recipient to type it manually into their browser.
This minor behavioral trick is enough to bypass most corporate email gateways, LinkedIn link scanning, and browser security filters. Once the recruiter visits the page, they are prompted to download a ZIP file containing what appears to be a resume or portfolio. The infection allows the attackers to quietly access internal documents, employee credentials, Slack tokens, and even customer databases - without immediate detection.
Documented Cases: Real-World Impact and Damage
In 2025 alone, several confirmed incidents have shown how real and damaging this threat has become for companies actively recruiting online.
In June 2025, the FIN6 hacking group (also known as Skeleton Spider) launched a series of attacks specifically targeting recruiters via LinkedIn and Indeed. The group impersonated job seekers and sent links to “resume sites” - domains registered through AWS and crafted to appear legitimate. Once visited, the sites delivered More_eggs, a modular backdoor capable of credential theft and remote access. The attack successfully bypassed corporate filters by avoiding direct links and instead prompting recruiters to type in the fake domain manually.
Also in mid-2025, researchers from Arctic Wolf identified a separate, financially motivated campaign operated by the Venom Spider group. This group targeted HR departments across industries by submitting polished fake job applications linking to malicious personal websites. After solving a CAPTCHA, victims were prompted to download what appeared to be a resume, only to trigger the More_eggs JavaScript-based malware. The malware granted attackers silent access to internal systems, from documents and credentials to messaging platforms and customer data.
What This Means for HR and the Entire Team
These attacks don’t just target recruiters. They target your entire company by slipping in through the hiring process.
A resume sent through LinkedIn used to be routine. Today, it can be a carefully disguised trap. And once one person opens the wrong file, it can expose: Internal documents, employee credentials, messaging platforms like Slack or Teams, shared drives and customer data - All without setting off alarms.
One fake resume can lead to a full company breach. This is what makes the threat so serious: attackers no longer go through firewalls - they go through people.
How to Stay EXTRA SAFE from Fake Resume Attacks
If you’re a recruiter — or responsible for reviewing job applications on behalf of your company — here’s how to stay secure against the rising threat of weaponized resumes:
Never open resumes shared as external links via LinkedIn messages or personal websites:
Attackers now avoid using clickable links to bypass detection. Instead, they send messages with non-clickable URLs (e.g., johnsmith-cv[.]com) and ask recruiters to type them manually. These domains often host disguised malware posing as a resume file. Instead, instruct all candidates to apply only through your company’s official career portal or trusted ATS (Applicant Tracking System), where attachments can be scanned in a controlled environment.Block and report unsolicited job applications sent via LinkedIn, especially from unknown profiles: Threat actors create fake but professional-looking LinkedIn accounts to build trust. Once connected, they send follow-ups with malicious resumes or fake portfolios. Instead, only engage with applicants who apply through verified, open job listings. Be cautious with cold messages or offers to send resumes outside of your established hiring workflow.
Avoid downloading any file (especially .zip or .lnk) directly from cloud services unless pre-vetted: Files hosted on AWS, Google Drive, or Dropbox may appear legitimate but can contain malware. .zip and .lnk files are commonly used to bypass filters and execute hidden payloads. Instead, only accept files through systems that automatically scan attachments (like enterprise-grade email or ATS platforms). Avoid reviewing resumes that arrive from unknown cloud links without prior verification.
If your process includes talent pooling, request safe re-submission via official channels:
When there’s no open role, recruiters may want to save promising candidates — but keeping or downloading externally shared files for later is unsafe. If the role isn’t open, share a link to your company’s job interest form or ATS where candidates can safely submit information and documents that are scanned on entry.Educate your team and document these security practices in your hiring SOPs:
Even one recruiter clicking the wrong file can result in a breach affecting the entire organization. Security policies are often weakest where human behavior intersects with urgency — like reviewing job applications under pressure. Instead, include secure hiring practices in your team’s onboarding and SOP documents. Partner with your IT/security team to run simulated phishing exercises tailored to recruiting workflows.
About #EXTRASAFEcheck
New security risks pop up every day, spreading faster than ever. From AI flaws to data leaks, even the most popular apps can pose hidden threats, affecting both teams and individual users. That’s why our monthly review brings you the most important updates to keep you informed and protected. Follow #EXTRASAFEcheck to spot risks early and make safer online choices.