Full Report
Cyble threat intelligence researchers have uncovered a GitHub repository masquerading as a hiring coding challenge that tricks developers into downloading a backdoor to steal sensitive data. The campaign uses a number of unusual techniques, such as using a social media profile for command and control (C&C) activities instead of C&C servers. There is evidence that the campaign may be expanding beyond a fake hiring challenge for developers, as Cyble Research and Intelligence Labs (CRIL) researchers also found invoice-themed lures. Fake Hiring Challenge Targets Polish Developers The Cyble researchers said in a blog post that the campaign appears to target Polish-speaking developers, and the malware uses geofencing to restrict execution. The researchers speculated that the campaign is delivered via job platforms like LinkedIn or regional developer forums. The fake recruitment test, named “FizzBuzz,“ is used to trick victims into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut. When executed, the LNK file (“README.lnk”) runs a PowerShell script that installs a stealthy backdoor dubbed “FogDoor” by the researchers. “This backdoor is designed for persistence, data theft, and remote command execution while avoiding detection,” Cyble wrote. Instead of using C&C servers, FogDoor communicates with a social media platform via a Dead Drop Resolver (DDR) technique, retrieving attack commands from a social media profile, the researchers said. The malware uses geofencing to restrict execution to Polish victims. Once active, “it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces,” Cyble said. The malware uses remote debugging to steal Chrome cookies and can operate in background mode, while Firefox credentials are taken from profile directories. PowerShell Script Establishes Persistence The PowerShell script also opens a “README.txt” file “to mislead users into believing they are interacting with a harmless file,” Cyble said. That document contains instructions for a code bug fix task, “making it appear harmless while ensuring the PowerShell script executes only once on the victim’s machine to carry out malicious activities.” The PowerShell script also downloads an executable file and saves it as “SkyWatchWeather.exe” in the “C:\Users\Public\Downloads” folder and creates a scheduled task named “Weather Widget,” which executes the downloaded file using mshta.exe and VBScript and is set to run every two minutes indefinitely. SkyWatchWeather.exe acts as a backdoor by using a social media platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its C&C infrastructure. After verifying location, the malware attempts to establish a connection with “bark.lgbt/api” to await further commands, which are embedded within the profile information of a social media platform. That setup also makes detection and takedown efforts more challenging, Cyble said. Stopping Hiring Scams and Cyberattacks The researchers had a number of recommendations for protecting against FizzBuzz, FogDoor and similar attacks, such as: Cross-checking job offers and coding challenges from unverified sources Refraining from downloading and running files from unknown repositories, particularly ISO images and script files Restricting the execution of PowerShell, JavaScript and other scripting languages unless explicitly required, and using application whitelisting Monitoring outbound connections to uncommon domains or file-sharing services Protecting browser-stored credentials with multi-factor authentication (MFA) and password managers. The full Cyble blog contains deeper analysis of the campaign and includes Yara and Sigma detection rules, indicators of compromise (IoCs) and MITRE ATT&CK techniques.
Analysis Summary
# Tool/Technique: FogDoor Malware/Campaign
## Overview
This refers to a specific attack campaign that utilizes social engineering tactics, disguised as a "fake hiring challenge for developers," to deliver and execute malware designed to steal sensitive data. The primary malicious payload discussed appears to be a backdoor executable named **SkyWatchWeather.exe**.
## Technical Details
- Type: Malware/Attack Campaign (Involves a PowerShell script, VBScript, and an executable backdoor)
- Platform: Windows (Implied by the use of PowerShell, mshta.exe, and specific file paths like `C:\Users\Public\Downloads`)
- Capabilities: Initial execution via scripting, downloading executables, persistence via scheduled tasks, and acting as a backdoor using unconventional C2 infrastructure.
- First Seen: Not explicitly stated, but discussed in an article dated March 24, 2025.
## MITRE ATT&CK Mapping
Based on the execution chain described:
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Using social media/webhooks for C2)
## Functionality
### Core Capabilities
- **Initial Access/Execution**: Delivered via a fake developer hiring challenge, likely leveraging social engineering to trick victims into running an initial script.
- **Payload Delivery**: A PowerShell script executes, downloads an executable file, and saves it locally.
- **Persistence**: Creates a scheduled task named "Weather Widget" set to run the downloaded executable every two minutes indefinitely.
- **Execution Environment**: Uses `mshta.exe` and VBScript to execute the downloaded file.
### Advanced Features
- **C2 Infrastructure Obfuscation**: The backdoor (**SkyWatchWeather.exe**) uses a social media platform (`bark[.]lgbt`) and a temporary webhook service (`webhookbin[.]net`) as its Command and Control (C2) infrastructure.
- **Command Retrieval**: Commands are reportedly embedded within the profile information of the utilized social media platform, significantly complicating detection and takedown efforts.
## Indicators of Compromise
- File Hashes: [None provided in context]
- File Names: `SkyWatchWeather.exe`
- Registry Keys: [Not explicitly mentioned, though persistence mechanism uses Scheduled Tasks]
- Network Indicators:
- C2 Endpoint 1: `bark[.]lgbt/api` (Defanged)
- C2 Endpoint 2: `webhookbin[.]net` (Defanged)
- Behavioral Indicators:
- Creation of scheduled task named "Weather Widget" executing via `mshta.exe`.
- Outbound connections to social media APIs or webhook testing services for command retrieval.
## Associated Threat Actors
- Threat actors associated with the **FizzBuzz** and **FogDoor** attacks (suggesting this may be a component or variant).
- General cyber attackers targeting developers via social engineering.
## Detection Methods
- **Signature-based detection**: Detection rules (YARA/Sigma) are mentioned as being available in the full Cyble blog post.
- **Behavioral detection**: Monitoring for unusual process execution chains involving PowerShell, VBScript, and `mshta.exe` initiating network connections to unknown or non-traditional C2 sources (like social media).
- **YARA rules**: Mentioned as being available in the full analysis.
## Mitigation Strategies
- Cross-checking job offers and coding challenges from unverified sources.
- Refraining from downloading and running files from unknown repositories, especially ISO images and script files.
- Restricting the execution of PowerShell, JavaScript, and other scripting languages unless explicitly required, utilizing application whitelisting.
- Monitoring outbound connections to uncommon domains or file-sharing services.
- Protecting browser-stored credentials with Multi-Factor Authentication (MFA) and password managers.
## Related Tools/Techniques
- **FizzBuzz** (Mentioned alongside FogDoor, suggesting related campaigns or naming conventions).
- **DarkCrystal RAT** (Mentioned in another headline, but likely unrelated to this specific delivery method).