Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportWhat appears to be a harmless job application quickly unravels into a targeted enterprise compromise under the campaign FAUX#ELEVATE. Aimed at HR teams and recruitment departments, the FAUX#ELEVATE attack leverages a deeply obfuscated VBScript that quietly filters for domain-joined systems, ensuring it lands only on high-value corporate environments. The FAUX#ELEVATE campaign, first seen in 2025, targets France-based Windows systems in human resources and recruitment departments. Once executed, the FAUX#ELEVATE malware disables key security defenses, establishes a backdoor, siphons credentials from multiple browsers, and deploys a stealthy Monero cryptominer, all while exfiltrating sensitive data over encrypted email channels using hardcoded mail.ru accounts. The FAUX#ELEVATE campaign stands out for its precision and discipline, evading sandbox analysis through timing checks, bypassing low-value targets by verifying domain membership, and cleaning up its initial traces to leave behind a persistent foothold and a silent monetization pipeline targeting enterprise HR systems.
What looks like an ordinary job application quickly turns into a carefully staged compromise. The FAUX#ELEVATE campaign attack begins with a phishing email targeting HR and recruitment teams, carrying a VBScript file. When opened, the FAUX#ELEVATE VBScript displays a convincing French error message suggesting the file is corrupted, while quietly executing malicious code in the background. Beneath this simple lure lies heavy obfuscation in the FAUX#ELEVATE script; only a tiny fraction of the script’s massive 224,000+ lines contains real logic, with the rest padded by meaningless comments. Critical strings in the FAUX#ELEVATE malware are deliberately fragmented and reconstructed at runtime, making analysis and detection significantly harder for security tools.
Before deploying its payload, the FAUX#ELEVATE script performs a series of environment checks to ensure it is running on a valuable target. The FAUX#ELEVATE malware avoids reinfecting systems using a mutex mechanism and, more importantly, verifies whether the machine is part of a corporate domain, effectively filtering out home users. Sandbox evasion is built into FAUX#ELEVATE through timing checks that detect accelerated execution environments. If administrative privileges are missing, the FAUX#ELEVATE script aggressively loops UAC prompts until elevation is granted. Once elevated, FAUX#ELEVATE weakens system defenses by disabling UAC, adding broad Windows Defender exclusions across multiple drives, and removing its own footprint from disk.
With defenses lowered, the FAUX#ELEVATE dropper retrieves additional components. The FAUX#ELEVATE malware downloads a renamed 7-Zip utility along with two password-protected archives hosted on Dropbox, extracting them into a public system directory at C:\Users\Public\WindowsUpdate. These FAUX#ELEVATE archives unpack a full toolkit: a backdoor for remote access, a Monero cryptominer, multiple credential stealers targeting Chromium-based browsers and Firefox, and utilities for harvesting desktop files. Notably, the FAUX#ELEVATE credential theft mechanism leverages techniques to bypass Chromium’s App-Bound Encryption, enabling the extraction of sensitive data such as cookies, saved credentials, and payment information without requiring elevated privileges.
Exfiltration is handled with equal precision in the FAUX#ELEVATE campaign. Stolen data is bundled and sent via SMTP over SSL using hardcoded mail.ru accounts (olga.aitsaid@mail.ru, 3pw5nd9neeyn@mail.ru), with email subjects tagged by victim geography and data type for easy classification by FAUX#ELEVATE operators. Meanwhile, the FAUX#ELEVATE cryptominer fetches its configuration from a compromised website (lmtop.ma), disguising it as an encoded image file to evade detection, and connects to a mining pool (pool.supportxmr.com) using stealth options that pause activity during user interaction. In parallel, the FAUX#ELEVATE backdoor establishes persistent command-and-control communication via dynamic DNS infrastructure (eufr18-166.workdns.com), ensuring continuous remote access.
To maintain long-term control while minimizing exposure, the FAUX#ELEVATE malware establishes multiple persistence mechanisms through registry keys and scheduled tasks. Once data theft is complete, FAUX#ELEVATE performs a thorough cleanup, removing scripts and tooling associated with the initial infection chain. The FAUX#ELEVATE campaign process injection into explorer.exe enables persistent C2 beaconing on non-standard ports 7077 and 62046, maintaining a silent foothold in enterprise HR environments.
Configure Windows Group Policy to prevent wscript.exe and cscript.exe from executing VBS files downloaded from the internet. This directly mitigates the initial FAUX#ELEVATE dropper execution vector used in this campaign where a .vbs file disguised as a resume is the entry point.
Deploy endpoint detection rules to alert on file creation, script execution, and binary drops within world-writable directories such as C:\Users\Public\WindowsUpdate, which was used as the staging directory for the full FAUX#ELEVATE malware toolkit in this campaign.
Create detection rules for wscript.exe or cscript.exe processes that spawn child processes (cmd.exe, powershell.exe, schtasks.exe, netsh.exe), make outbound network connections, modify registry Run keys, or invoke PowerShell with Add-MpPreference -ExclusionPath commands, all indicators of FAUX#ELEVATE activity.
Create alerts for explorer.exe establishing network connections to non-Microsoft IPs, particularly on non-standard ports such as 7077 and 62046. In the FAUX#ELEVATE campaign, the RAT component injected into explorer.exe for persistent C2 beaconing.
Where feasible, limit or monitor access to Dropbox CDN URLs from non-browser processes. The FAUX#ELEVATE campaign uses Dropbox links for payload delivery, and blocking these at the proxy level for non-approved applications can disrupt the delivery mechanism.
Resource Development:
Initial Access:
Execution:
Persistence:
Privilege Escalation:
Defense Evasion:
Credential Access:
Discovery:
Collection:
Command and Control:
Exfiltration:
Impact:
Get through updates and upcoming events, and more directly in your inbox