The 25-Second Heist: Inside FAUX#ELEVATE’s “Inflated” Phishing Attack on French Corporations

Cybersecurity researchers at Securonix have detailed the curtain on a sophisticated new threat campaign dubbed FAUX#ELEVATE. The operation specifically targets French-speaking corporate environments using a “Living-off-the-Land” strategy that blends extreme obfuscation with legitimate cloud services to bypass modern defenses.

What appears to be a standard recruitment email carrying a resume is actually a multi-stage toolkit designed for credential theft, data exfiltration, and stealthy cryptocurrency mining.

The attack begins with a phishing email containing a VBScript file named nouveau_curriculum_vitae.vbs. To evade signature-based antivirus scanners, the authors employed a radical approach to file inflation.

Securonix researchers noted the dropper’s extreme approach to evasion: “Of its 224,471 lines, only 266 lines (0.12%) are actual executable code, the remainder consists entirely of junk VBS comments sourced from real English sentences”.

This inflates the file to nearly 10 MB, making manual analysis “extremely tedious” and allowing the malicious core to hide behind a wall of natural language text.

Unlike many opportunistic campaigns, FAUX#ELEVATE is highly selective. The malware uses Windows Management Instrumentation (WMI) to perform a “Domain-Join Gate” check.

The script queries the Win32_ComputerSystem class to check the PartOfDomain property. If the machine is not part of a corporate domain, the full payload is bypassed.

Researchers state this ensures “standalone home systems and non-corporate machines receive only the UAC elevation loop,” focusing the real damage on high-value enterprise targets.

Once a domain-joined target is confirmed and administrative rights are obtained (often through a persistent UAC prompt loop that pestered the user until they click “Yes”), the malware disables Windows Defender and downloads a suite of tools from Dropbox.

The campaign utilizes the ChromElevator module to bypass Chromium’s App-Bound Encryption (ABE). This allows it to extract cookies, passwords, and payment methods from Chrome, Edge, and Brave browsers—often without requiring admin privileges for the extraction itself.

The actors deploy a customized XMRig miner to generate passive income. To remain undetected, the miner is configured with a -pause-on-active=10 parameter. As the analysis explains, “The moment you touch your mouse or type something, it stops mining and goes quiet for 10 seconds,” ensuring the victim never feels the CPU-heavy slowdown.

Stolen browser profiles and desktop files are zipped and exfiltrated via smtp.mail.ru. Each email is tagged with the victim’s country code, allowing the operator to sort stolen data geographically.

One of the most alarming aspects of the FAUX#ELEVATE campaign is its efficiency. Securonix emphasizes that “the full infection chain completes in approximately 25 seconds from initial VBS execution to credential exfiltration”.

By the time an incident responder arrives, the malware has often performed an “aggressive cleanup,” deleting its own scripts and tools to leave behind only the persistent miner and a backdoor.