Malware Posing as CVs Targets HR Teams

Security researchers have identified a targeted campaign in which Russian‑speaking attackers send fraudulent CVs to corporate HR teams. The attachments arrive as ISO files — a common format for disk images — that, when opened, deploy malware capable of disabling endpoint protections before moving to steal sensitive files.

The lure is simple and effective: recruiters and HR staff often expect attachments containing candidate portfolios, certifications or media. Attackers exploit that trust by packaging malicious payloads inside seemingly legitimate resume-related files. Once executed, the malware attempts to neutralize antivirus and detection tools, creating a window to enumerate networks and collect data.

Victims reported in industry telemetry include mid‑sized and enterprise organisations across multiple sectors. The campaign appears to focus on human resources specifically because HR systems often store personal data, employment histories and occasionally access credentials or documents that can be used for social engineering further into the business.

Researchers note that delivery via ISO avoids some email gateway detections and can bypass systems that flag executable attachments. Attackers also tailor CV content to appear relevant to the recipient’s region or sector, increasing the chance the file will be opened.

Defensive recommendations emphasise user awareness and technical controls: treat unsolicited attachments with caution, verify sender identities through separate channels, and avoid opening disk image files from unverified sources. Organisations should ensure endpoint detection and response (EDR) tools are tamper‑resistant and maintain robust offline backups and least‑privilege access to sensitive HR systems.

For HR teams, the practical takeaway is to assume attachments might be weaponised and to rely on secure file‑sharing platforms instead of direct email attachments. Security teams should monitor for unusual attempts to disable protections and hunt for lateral movement indicators following any suspicious HR‑directed contact.