Cybercrooks Are Using Fake Job Listings to Steal Crypto
Contents
Written by MacPaw’s Moonlock Lab Team
An ongoing cyber campaign is targeting job seekers with fake interview websites, tricking them into downloading a barebones yet highly effective backdoor. Unlike sophisticated malware that uses obfuscation techniques, this attack relies on simplicity—delivering source code alongside a Go binary, making it cross-platform. Even more concerning is its attempt to hijack the permissions of the cryptocurrency-related Chrome extension MetaMask, potentially draining victims' wallets.
The campaign remains active, with new domains regularly appearing to lure more victims. Many individual security researchers and companies, such as
The Moonlock Lab team began tracking this exact malware on October 9, 2024, when the first components of the backdoor started to appear. A backdoor is a type of malicious software that hides on a system and allows threat actors to execute commands remotely, as if they were the legitimate owners of the workstation. These attacks typically utilize so-called C2 (Command and Control) …
An ongoing cyber campaign is targeting job seekers with fake interview websites, tricking them into downloading a barebones yet highly effective backdoor. Unlike sophisticated malware that uses obfuscation techniques, this attack relies on simplicity—delivering source code alongside a Go binary, making it cross-platform. Even more concerning is its attempt to hijack the permissions of the cryptocurrency-related Chrome extension MetaMask, potentially draining victims' wallets.
The campaign remains active, with new domains regularly appearing to lure more victims. Many individual security researchers and companies, such as
The Moonlock Lab team began tracking this exact malware on October 9, 2024, when the first components of the backdoor started to appear. A backdoor is a type of malicious software that hides on a system and allows threat actors to execute commands remotely, as if they were the legitimate owners of the workstation. These attacks typically utilize so-called C2 (Command and Control) …
IoC
http://app.willo-interview.us
http://wtalents.us
https://api.nvidia-cloud.online/VCam1.update
http://willocandidate.com
http://app.willohiringtalent.org
http://digitptalent.com
http://winyourrole.com
http://app.willotalent.pro
http://app.willorecruit.com
http://fundcandidates.com
http://app.vidintroexam.com
http://hiringinterview.org
http://digitpotalent.com
http://willomexcvip.us
http://app.hiring-interview.com
http://web.videoscreening.org
http://app.willotalents.org
http://willoassess.com
http://willointerview.com
http://willoassessment.com
http://wtalents.in
http://talentcompetency.com
http://wholecryptoloom.com
http://216.74.123.191:8080
https://api.nvidia-cloud.online/VCam2.update
http://app.blockchain-checkup.com
http://smarthiretop.online
http://hiringtalent.pro
http://localhost:8545/*
http://95.169.180.146:8080
http://app.skill-share.org
http://topinnomastertech.com
http://app.quickvidintro.com
http://app.willotalentes.com
http://blockchain-assess.com
http://willoassess.net
http://willoassess.org
http://interviewnest.org
https://api.nvidia-release.org/ffmpeg-ar.sh
http://winterviews.net
95.169.180.146
216.74.123.191
60ec2dbe8cfacdff1d4eb093032b0307e52cc68feb1f67487d9f401017c3edd7
3210d821e12600eac1b9887860f4e63923f624643bc3c50b3600352166e66bfe
5df555b868c08eed8fea2c5f1bc82c5972f2dd69159b2fdb6a8b40ab6d7a1830
b72653bf747b962c67a5999afbc1d9156e1758e4ad959412ed7385abaedb21b6
b2a4a981ba7cc2add74737957efdfcbd123922653e3bb109aa7e88d70796a340
3697852e593cec371245f6a7aaa388176e514b3e63813fdb136a0301969291ea
0a49f0a8d0b1e856b7d109229dfee79212c10881dcc4011b98fe69fc28100182
3c4becde20e618efb209f97581e9ab6bf00cbd63f51f4ebd5677e352c57e992a
http://wtalents.us
https://api.nvidia-cloud.online/VCam1.update
http://willocandidate.com
http://app.willohiringtalent.org
http://digitptalent.com
http://winyourrole.com
http://app.willotalent.pro
http://app.willorecruit.com
http://fundcandidates.com
http://app.vidintroexam.com
http://hiringinterview.org
http://digitpotalent.com
http://willomexcvip.us
http://app.hiring-interview.com
http://web.videoscreening.org
http://app.willotalents.org
http://willoassess.com
http://willointerview.com
http://willoassessment.com
http://wtalents.in
http://talentcompetency.com
http://wholecryptoloom.com
http://216.74.123.191:8080
https://api.nvidia-cloud.online/VCam2.update
http://app.blockchain-checkup.com
http://smarthiretop.online
http://hiringtalent.pro
http://localhost:8545/*
http://95.169.180.146:8080
http://app.skill-share.org
http://topinnomastertech.com
http://app.quickvidintro.com
http://app.willotalentes.com
http://blockchain-assess.com
http://willoassess.net
http://willoassess.org
http://interviewnest.org
https://api.nvidia-release.org/ffmpeg-ar.sh
http://winterviews.net
95.169.180.146
216.74.123.191
60ec2dbe8cfacdff1d4eb093032b0307e52cc68feb1f67487d9f401017c3edd7
3210d821e12600eac1b9887860f4e63923f624643bc3c50b3600352166e66bfe
5df555b868c08eed8fea2c5f1bc82c5972f2dd69159b2fdb6a8b40ab6d7a1830
b72653bf747b962c67a5999afbc1d9156e1758e4ad959412ed7385abaedb21b6
b2a4a981ba7cc2add74737957efdfcbd123922653e3bb109aa7e88d70796a340
3697852e593cec371245f6a7aaa388176e514b3e63813fdb136a0301969291ea
0a49f0a8d0b1e856b7d109229dfee79212c10881dcc4011b98fe69fc28100182
3c4becde20e618efb209f97581e9ab6bf00cbd63f51f4ebd5677e352c57e992a