Back to Intelligence

Defending Against Fake Resume Attacks: Detecting and Blocking Crypto Miners and Info Stealers

SA
Security Arsenal Team
March 30, 2026
6 min read

Defending Against Fake Resume Attacks: Detecting and Blocking Crypto Miners and Info Stealers

In recent reports from Securonix, a sophisticated social engineering campaign has been uncovered targeting French-speaking corporate environments. This campaign leverages a time-tested tactic—the "fake resume"—but with a modern twist designed to bypass traditional email filters. Rather than delivering macro-laden Office documents, attackers are distributing highly obfuscated VBScript files disguised as curriculum vitaes (CVs) to deploy cryptocurrency miners and information stealers.

For defenders, this highlights a critical shift in delivery mechanisms. While the social engineering lure remains constant, the technical payload requires a specific set of defensive controls to detect script-based droppers and block unauthorized resource consumption (mining) or credential theft.

Technical Analysis

The attack chain begins with a spear-phishing email tailored to HR departments or hiring managers. The attachment appears to be a legitimate resume or CV; however, the file extension is often .vbs or a double extension (e.g., resume.pdf.vbs).

When the victim executes the file, a highly obfuscated VBScript runs. This script typically acts as a dropper, leveraging PowerShell or mshta.exe to reach out to a command-and-control (C2) server. The primary payloads observed in this campaign include:

  1. Cryptocurrency Miners (e.g., XMRig): Designed to utilize system CPU/GPU resources to mine Monero, often causing significant performance degradation and increased power costs.
  2. Information Stealers: Malware designed to harvest browser credentials, session tokens, and system information to facilitate lateral movement or data exfiltration.

The severity of this event is High. While crypto miners primarily impact availability and performance, the presence of information stealers introduces a risk of Confidentiality breach and Integrity loss. The use of obfuscated scripts makes detection difficult for signature-based antivirus solutions, requiring behavioral analysis and script logging to identify malicious execution patterns.

Defensive Monitoring

To detect this type of activity, security operations centers (SOCs) must focus on the execution of scripting engines and the subsequent suspicious behaviors. Below are detection rules and hunts for Sigma, Microsoft Sentinel (KQL), and Velociraptor (VQL).

SIGMA Rules

The following Sigma rules detect the execution of suspicious VBScript files and the common obfuscation techniques used by these droppers.

YAML
---
title: Suspicious VBScript Execution via WScript or CScript
id: 9a5c3d21-1e4b-4c8a-9f2d-7a6b5c4d3e2f
status: experimental
description: Detects the execution of VBScript files by WScript or CScript, often used in malicious resume campaigns.
references:
  - https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.execution
  - attack.t1059.005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
    CommandLine|contains:
      - '.vbs'
      - '.vbe'
  filter:
    ParentImage|contains: '\Program Files\'
condition: selection and not filter
falsepositives:
  - Legitimate system administration scripts
level: medium
---
title: Obfuscated PowerShell Command Execution
id: b8e4d6c2-3a1f-4b5e-8d9c-1a2b3c4d5e6f
status: experimental
description: Detects highly obfuscated PowerShell commands often spawned by VBScript droppers to download payloads.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.execution
  - attack.t1059.001
  - attack.defense_evasion
  - attack.t1027
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'FromBase64String'
      - 'EncodedCommand'
      - 'Invoke-Expression'
      - 'IEX'
  condition: selection
falsepositives:
  - Legitimate administrative scripts using encoding
level: high
---
title: Suspicious Process Spawned by Microsoft Office
id: c7f3e9d1-4b2a-5c6e-9d0a-2b1c3d4e5f6a
status: experimental
description: Detects Microsoft Word or Excel spawning WScript or PowerShell, a common technique in malicious document campaigns.
references:
  - https://attack.mitre.org/techniques/T1566/001/
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.execution
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    Image|contains:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\POWERPNT.EXE'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate macro-enabled business documents
level: high

KQL (Microsoft Sentinel / Defender)

Use these KQL queries to hunt for signs of the fake resume campaign or verify if malicious scripts have executed recently.

KQL — Microsoft Sentinel / Defender
// Hunt for VBScript execution from user directories
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("wscript.exe", "cscript.exe")
| where ProcessCommandLine has ".vbs" 
| where InitiatingProcessFileName !in~ ("explorer.exe", "cmd.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc


// Detect potential crypto mining process characteristics (High CPU/Rare Image)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe")
| where ProcessCommandLine has_any ("download", "iex", "invoke-expression", "frombase64string")
| join kind=inner (DeviceNetworkEvents
| where RemotePort in (3333, 4444, 8080, 14444) // Common mining pools or C2 ports
| project DeviceId, RemoteUrl, RemoteIP) on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteUrl, RemoteIP

Velociraptor VQL

These VQL artifacts hunt for suspicious VBScript files on disk and analyze recent process executions for script hosts.

VQL — Velociraptor
-- Hunt for VBScript files in user downloads or desktop directories
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="C:/Users/*/Downloads/*.vbs")

UNION ALL

SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="C:/Users/*/Desktop/*.vbs")


-- Detect recent execution of wscript.exe or cscript.exe
SELECT Pid, Name, CommandLine, Exe, StartTime, Username
FROM pslist()
WHERE Name =~ "wscript" OR Name =~ "cscript"

-- Cross-reference with network connections to identify potential C2 or Mining pools
SELECT P.Name, P.CommandLine, N.RemoteAddress, N.RemotePort
FROM pslist() AS P
LEFT JOIN each(process=Pid, query={
    SELECT RemoteAddress, RemotePort
    FROM listen()
}) AS N
WHERE P.Name =~ "wscript" OR P.Name =~ "cscript"

PowerShell Remediation Script

Use this script to audit a system for recently created VBScript files in common user directories.

PowerShell
<#
.SYNOPSIS
    Scans for suspicious VBScript files created in the last 24 hours.
.DESCRIPTION
    This script searches User Profiles for .vbs files modified recently and outputs the findings.
#>

$TimeThreshold = (Get-Date).AddDays(-1)
$SuspiciousPaths = @(
    "$env:USERPROFILE\Downloads",
    "$env:USERPROFILE\Desktop",
    "$env:USERPROFILE\Documents",
    "C:\Users\*\Downloads",
    "C:\Users\*\Desktop"
)

Write-Host "Scanning for VBScript files created or modified after: $TimeThreshold" -ForegroundColor Cyan

foreach ($Path in $SuspiciousPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Filter *.vbs -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $_.LastWriteTime -gt $TimeThreshold -or $_.CreationTime -gt $TimeThreshold } | 
        Select-Object FullName, LastWriteTime, CreationTime, Length | 
        Format-Table -AutoSize
    }
}

Write-Host "Scan complete." -ForegroundColor Green

Remediation and Protection Strategies

To effectively defend against fake resume attacks and script-based malware, organizations should implement the following measures:

  1. Application Whitelisting (ASR Rules): Configure Attack Surface Reduction (ASR) rules in Microsoft Defender or equivalent AppLocker policies to prevent Office applications from creating child processes or executing script interpreters (WScript/CScript).
  2. Disable WScript/CScript: Where business logic permits, consider disabling the Windows Script Host (wscript.exe and cscript.exe) entirely on endpoints. This can be done via the registry:
    • Path: HKCU\Software\Microsoft\Windows Script Host\Settings
    • Value: Enabled
    • Data: 0
  3. Email Security Gateways: Configure email filters to quarantine attachments with double extensions (e.g., .doc.vbs) or known script extensions (.vbs, .js, .wsh) originating from external senders.
  4. User Awareness Training: Specifically target HR and recruitment teams with training regarding the risks of unsolicited resumes and the importance of verifying file extensions before opening.
  5. Script Block Logging: Ensure PowerShell Script Block Logging and Module Logging are enabled on all endpoints to capture obfuscated script execution attempts for forensic analysis.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectionsocial-engineeringendpoint-detectionmalware-analysiswindows-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action