Cybercriminals have launched a sophisticated phishing campaign impersonating CrowdStrike recruiters, aiming to install cryptominer malware on job seekers' devices. By pretending to offer positions at this respected cybersecurity company, perpetrators lure individuals into downloading harmful software.

Phishing Tactic Unveiled

According to CrowdStrike, this threat was first identified on January 7, 2025. The campaign starts with an email that falsely appears as part of CrowdStrike’s recruitment effort, enticing recipients with the promise of a junior developer interview. A link within the email directs victims to a counterfeit website matching CrowdStrike's branding. This fraudulent site prompts users to download "employee CRM applications" for Windows or macOS. Regardless of the system, downloading triggers a malicious Windows executable crafted in Rust to deploy XMRig, a known cryptominer mining the Monero cryptocurrency, known for its anonymity.

Malware Evasion and Persistence

The phishing site features download links misleadingly positioned as CRM applications. Once executed, the downloader is equipped with techniques to bypass detection: it scans the system for malware analysis tools, virtualization software, and checks for system specifications such as CPU cores and debuggers. It then feigns an error message, easing any user suspicions while fetching additional components to ensure persistent cryptomining operations. XMRig's resource consumption is deliberately kept low, limited to 10% to remain unnoticed. Attackers have also embedded a batch script in the Startup folder to ensure the malware runs upon system boot.

Growing Threat of Fake Job Scams

Fake job scams are on the rise, with consumers frequently targeted by North Korean group Lazarus using similar methods. Hackread highlighted Lazarus deploying “RustyAttr,” a macOS trojan, since May 2024, using such tactics to operate stealthily.

Safety Recommendations for Job Seekers

It is rare for legitimate recruiters to instruct candidates to download software or arrange interviews through unconventional means. It's crucial to validate any job offer and refer to official corporate websites for verifying career opportunities. CrowdStrike urges candidates to be wary of unsolicited interview offers, especially those involving instant messaging or group chats, as well as requests for financial transactions or software downloads. Vigilance in verifying these activities can significantly lower the risk of being compromised. CrowdStrike advises educating employees about phishing tactics, monitoring suspicious network activity, and implementing endpoint protection software as effective measures against these threats. For direct communication verification, job seekers can reach out to CrowdStrike’s recruiting team directly.

The link has been copied!