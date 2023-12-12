TA4557, a threat actor tracked since 2018 to be sending job-themed email threats, has started a new technique of targeting recruiters with direct emails that ultimately lead to malware delivery, according to Proofpoint.

The threat actor known for using More_eggs downloader as the malware dropper has previously only resorted to applying to jobs posted on public job boards or LinkedIn postings, and inserting malicious URLs in the application.

Since October 2023, however, TA4557 has been observed to be directly mailing employers seeking candidates for various job roles.

"In recently observed campaigns, TA4557 used both the new method of emailing recruiters directly as well as the older technique of applying to jobs posted on public job boards to commence the attack chain," Proofpoint said in a blog post.

Direct emails with malicious URLs

Within the new email technique, the attacker first sends the recruiter an outreach email to enquire about a job posting. Once the recipient replies to the initial email, the actor responds with a URL linking to a TA4557-controlled website posing as the candidate's resume.

"Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website," Proofpoint added in the post.