Fake recruiters are hunting for resumes – and your credentials too. Reports have emerged of malware being used in job tasks that purport to test a candidate’s technical skills.
Recruiters are constantly struggling to find matches for their job openings, whether through classic online job postings or through DMs on platforms like LinkedIn.
We have recently discovered a report from several users on Reddit who says to they have been contacted by a recruiter and tasked with creating a work sample. This practice is not uncommon, although it has been alleged in the past that some companies use this tactic to exploit applicants and get production work done for free. But overall, companies want to see that you are capable of doing what your resume says. This case was interesting, though. Considering that you are reading this post on the blog of a companies that combat harmful code you can probably guess where this leads. But let's not go too far.
Shady archive, strange warnings
Reddit user huggesh_nair reported that he was given access to a private archive on Github, where they were supposed to download application data for the task. The installation failed, and then the system asked for permission to install a Python package (Python is a scripting language commonly used by developers to automate and facilitate certain tasks). With no recollection of any reason why this would happen, the user became cautious and turned to Reddit for advice. They were told that this seemed extremely suspicious, and that the best course of action was probably to restore the system. This wasn't bad advice, because it turned out that this task came with a little something extra.
In particular, there are some heavily garbled scripts among the downloaded the information from the archiveThese, as it turns out, steal data from a variety of browsers. It's session tokens, stored passwords, and crypto wallets that these malicious scripts are after.
A familiar tactic
This tactic sounds familiar – stealing this kind of data is quite common and we’ve seen cases involving direct messages on social media platforms before. And these types of attacks cost victims not only their accounts, but potentially a lot of money. In the case of these fake job ads/work samples or “tech tests”, as they are sometimes called, the job seeker (we use quotes here because they technically weren’t actively looking for a job, but were contacted by a supposed “recruiter”) is expected to submit a CV. Again, common practice for any hiring process, and therefore not immediately suspicious. However, in this case, a legitimate CV, where we can assume the information is accurate, complete and up-to-date, is being sent to a criminal organisation. You can use your own imagination to think about what criminals might do with such information. One scenario that comes to mind is creating fake job applications for positions involving remote work. This is something that has also happened before – North Korean actors have been known to successfully infiltrate businesses and pretend to be real applicants doing real work. And while some fake applications are easy to spot, AI technology is actively used to create very convincing fakes that even hold their own during a video call.
Who did it?
North Korean group Lazarus is behind this. It would make sense since this group has been known to steal data from computers and empty bank accounts and crypto wallets to – there is a theory that it is As for who is behind these attacks to fill the coffers of the North Korean regime. Chainalysis has estimated that North Korea has confiscated over 1 billion USB drives from cryptocurrency theft alone.
How to protect yourself from criminals posing as recruiters
So if you're currently open to a new job and are contacted by someone claiming to be looking for someone with your qualifications, there are a few things to watch out for:
- Make sure there is another way to contact them, either by mail or phone.
No legitimate recruiter should refuse you to contact them through another channel. - When you are tasked with providing a work sample or taking a “technical test,” pay attention to the source of the information you are given.
- A Github repo with a somewhat random username that is in no way connected to the company you probably work for is a big red flag.
- Check the website of the company the person contacting you claims to work for. If you don't find a job opening there that matches your skills profile (or even no job openings at all), this may warrant a little caution.
- Be careful with email domains. If you get an email address, make sure it matches the company website. Pay special attention to things like character substitutions, such as l and I (lowercase “L” as in Lima compared to uppercase “I”, as in India).








![Milestones: How to take down a mammoth - [Chronicle by Daniel Eisenberg] | IT Industry Milestones How to Take Down a Mammoth](https://itbranschen.com/wp-content/uploads/2024/12/Milstolpar-Hur-man-tar-ner-en-mammut-688x387.jpg)