An ongoing phishing campaign is targeting French-speaking corporate environments with fake resumes that lead to the deployment of cryptocurrency miners and information stealers.
The campaign uses highly obfuscated VBScript files disguised as resume/CV documents, delivered through phishing emails. Once executed, the malware deploys a multi-purpose toolkit that combines credential theft, data exfiltration, and Monero cryptocurrency mining for maximum monetization.
Security researchers from Securonix, including Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee, reported the activity, which they have codenamed FAUX#ELEVATE. The campaign is notable for abusing legitimate services such as Dropbox to stage payloads, Moroccan WordPress sites to host command-and-control (C2) configuration, and mail.ru SMTP infrastructure to exfiltrate stolen browser credentials and desktop files. This living-off-the-land-style attack raises the bar on how attackers can bypass defense mechanisms.
The initial dropper is a Visual Basic Script (VBScript) that displays a bogus French-language error message upon opening, tricking users into thinking the file is corrupted. Meanwhile, the heavily obfuscated script runs a series of checks to evade sandboxes and enters a persistent User Account Control (UAC) loop, prompting users to run it with administrator privileges. Out of the script's 224,471 lines, only 266 contain executable code; the rest are junk comments with random English sentences, inflating the file size to 9.7 MB.
The malware also uses a domain-join gate via Windows Management Instrumentation (WMI) to ensure payloads are delivered only on enterprise machines, excluding standalone home systems. Once administrative privileges are obtained, it disables security controls by configuring Microsoft Defender exclusion paths for drives C through I, disables UAC via a registry change, and deletes itself.
The dropper fetches two password-protected 7-Zip archives from Dropbox: gmail2.7z, containing executables to steal data and mine cryptocurrency, and gmail_ma.7z, with utilities for persistence and cleanup. Among the credential theft tools is a component leveraging the ChromElevator project to bypass app-bound encryption (ABE) in Chromium-based browsers. Other tools include mozilla.vbs to steal Mozilla Firefox profiles and credentials, walls.vbs for desktop file exfiltration, mservice.exe (an XMRig miner configured via a compromised Moroccan WordPress site), WinRing0x64.sys (a legitimate kernel driver for full CPU mining), and RuntimeHost.exe (a persistent Trojan that modifies Windows Firewall rules and communicates with a C2 server).
Browser data is exfiltrated using two mail.ru sender accounts (olga.aitsaid@mail.ru and 3pw5nd9neeyn@mail.ru) with the same password, sending stolen data via SMTP to an attacker-controlled email address (vladimirprolitovitch@duck.com). After credential theft and exfiltration are complete, the attack chain aggressively cleans up dropped tools to minimize forensic footprint, leaving only the miner and trojan artifacts.
The FAUX#ELEVATE campaign demonstrates a well-organized, multi-stage attack operation that combines several noteworthy techniques into a single infection chain. What makes this campaign particularly dangerous for enterprise security teams is the speed of execution โ the full infection chain completes in approximately 25 seconds from initial VBS execution to credential exfiltration โ and the selective targeting of domain-joined machines, which ensures that every compromised host provides maximum value through corporate credential theft and persistent resource hijacking.
