Eggs in a Cloudy Basket: Skeleton Spider’s Trusted Cloud Malware Delivery

MITRE Techniques

• [T1193] Spear Phishing Link – FIN6 sends phishing emails impersonating job applicants with no clickable links to force manual URL entry (“…non-clickable, no hyperlink (‘bobbyweisman[.]com’) to bypass automated link detection…”).
• [T1566.002] Phishing: Spearphishing Link – Use of social engineering via professional networking platforms LinkedIn and Indeed to establish trust before phishing (“…initiating contact via professional job platforms…posing as enthusiastic job seekers…”).
• [T1204.002] User Execution: Malicious File – Delivery of More_eggs backdoor via ZIP archives containing disguised .LNK files executing hidden JavaScript (“ZIP file contains a disguised .LNK (Windows shortcut) file…LNK file executes hidden JavaScript using wscript.exe”).
• [T1059.006] Command and Scripting Interpreter: Windows Script Host – Hidden JavaScript executed with wscript.exe to launch malware (“LNK file executes hidden JavaScript using wscript.exe”).
• [T1543.003] Create or Modify System Process: Windows Service – Persistence via registry run keys and scheduled tasks (“Persistence: Registry run keys or scheduled tasks HKCUSoftwareMicrosoftWindowsCurrentVersionRun”).
• [T1071.001] Application Layer Protocol: Web Protocols – C2 communication over HTTPS with spoofed User-Agent headers (“C2 Communication: HTTPS with spoofed User-Agent headers Mozilla/5.0 (Windows NT 10.0; Win64; x64)”).
• [T1059.001] Command and Scripting Interpreter: PowerShell – Use of PowerShell with encoded commands for execution (“powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -EncodedCommand “).
• [T1497] Virtualization/Sandbox Evasion – Environmental fingerprinting and behavioral checks including IP, browser, operating system, and CAPTCHA to evade detection (“The site checks for typical Windows browser user-agent strings…CAPTCHA verification…traffic filtering logic”).