Full Report
Legit-looking website, camera-on interviews, jokes about backdoors ... it worked EXCLUSIVE It all started with a LinkedIn message, as so many employment scams do these days.…
Analysis Summary
# Incident Report: Sophisticated Recruitment-Based Malware Delivery
## Executive Summary
A professional web developer was targeted by a highly sophisticated social engineering campaign disguised as a legitimate recruitment process for a blockchain firm. Using camera-on interviews and a multi-stage technical evaluation, attackers tricked the victim into running a malicious coding test. The resulting malware exfiltrated over 600 passwords, the macOS keychain, and cryptocurrency wallet data within 56 seconds of execution.
## Incident Details
- **Discovery Date:** April 2026 (Approximate)
- **Incident Date:** April 2026
- **Affected Organization:** Boris Vujičić (Individual/Developer)
- **Sector:** Blockchain / Software Development
- **Geography:** Serbia
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Social Engineering / LinkedIn Phishing
- **Details:** A recruiter from "Genusix Labs" contacted the victim via LinkedIn. The attackers maintained a professional website, fake LinkedIn profiles, and conducted two rounds of video interviews (HR and technical) to build trust.
### Lateral Movement
- **Details:** The attack focused on local workstation compromise; however, the script was designed to target CI/CD pipelines and developer environments common in the victim's sector.
### Data Exfiltration/Impact
- **Details:** Within 56 seconds of execution, the malware collected and exfiltrated 634 Chrome passwords, the macOS Keychain, and MetaMask wallet data.
### Detection & Response
- **How it was discovered:** A macOS system prompt ("patch[.]sh wants to run as a background process") alerted the victim.
- **Response actions taken:** Victim immediately disabled Wi-Fi, terminated malicious processes, and performed manual file-by-file eradication of the malware.
## Attack Methodology
- **Initial Access:** Social Engineering via professional networking (LinkedIn) and video interviews.
- **Persistence:** Script configured to automatically restart upon system boot (launchd/cron-style persistence).
- **Privilege Escalation:** Attempted execution of background processes requiring system permissions.
- **Defense Evasion:** Malware was "hidden inside a dependency of a dependency" within a GitHub repository. Use of custom RC4-encrypted C2 protocol.
- **Credential Access:** Mass extraction of Google Chrome saved passwords and macOS Keychain files.
- **Discovery:** Automated CPU architecture check to download the specific secondary payload.
- **Lateral Movement:** N/A (Focused on local secrets theft).
- **Collection:** Targeting of browser data and MetaMask browser extensions.
- **Exfiltration:** Data sent to attacker-controlled infrastructure via custom Go-based backdoor.
- **Impact:** Information theft (credentials and crypto-wallet data).
## Impact Assessment
- **Financial:** No direct crypto theft reported due to quick response, but high potential for future loss.
- **Data Breach:** 634 passwords and full macOS keychain exfiltrated.
- **Operational:** Developer's machine compromised; required full password reset of all accounts (Email, GitHub, Banking).
- **Reputational:** High-profile developer targeted specifically due to industry expertise.
## Indicators of Compromise
- **Network indicators:** hxxp[://]patch[.]sh
- **File indicators:** camdriver[.]sh (located in temporary camera-driver folder)
- **Behavioral indicators:** Request for background execution permissions immediately following the execution of a coding project; suspicious dependencies in NPM/GitHub repos.
## Response Actions
- **Containment:** Disconnected local machine from the internet (Wi-Fi kill).
- **Eradication:** Manual removal of malicious scripts and artifacts; reporting of GitHub, HostGator, and LinkedIn profiles.
- **Recovery:** Full credential rotation for all compromised accounts; forensic sharing with zeroShadow (blockchain intelligence).
## Lessons Learned
- **Sophistication:** Scammers are now performing "high-effort" social engineering, including camera-on Zoom calls that do not show obvious signs of deepfakes.
- **False Security:** Attackers actively encouraged the victim to "check for backdoors," using reverse psychology to lower his guard.
- **Speed:** 56 seconds is sufficient for a complete compromise of a developer’s digital identity.
## Recommendations
- **Environment Isolation:** Run all coding tests or untrusted repositories in a dedicated, ephemeral Virtual Machine (VM) or isolated cloud environment (e.g., GitHub Codespaces) with no access to host secrets.
- **Hardware Keys:** Utilize hardware security keys (e.g., YubiKey) to mitigate the impact of stolen passwords/keychains.
- **Dependency Analysis:** Use tools like `npm audit` or specialized security scanners before running projects with deep dependency trees.
- **Zero Trust Recruitment:** Treat all unsolicited recruitment tasks requiring "live code execution" as high-risk, regardless of the quality of the company’s website or interviews.