Fake recruiters are currently hunting CVs — and your personal data. Reports have surfaced about malicious software hidden in job tasks that claim to test a candidate’s technical skills.
Recruiters constantly work to find suitable candidates for open positions, whether through traditional online job posts or direct messages on platforms like LinkedIn.
We recently found reports from several Reddit users who say they were contacted by a recruiter and asked to complete a work sample. Assigning tests or sample tasks is a common part of many hiring processes, and some companies have previously been accused of using this tactic to get free production work from applicants. Generally, though, employers request samples to verify that candidates can perform the responsibilities listed on their CV. This particular case is noteworthy, however. Since you’re reading this on a blog belonging to a company that fights malicious software, you may already suspect where this leads — but let’s stay focused.
Suspicious archive, strange prompts
A Reddit user reported that they were given access to a private GitHub archive to download application data for the task. The installation failed, and the system then asked permission to install a Python package. Python is a scripting language commonly used by developers to automate tasks. With no clear reason for such a request, the user grew suspicious and asked Reddit for advice. Respondents warned that the request seemed highly suspicious and recommended a system restore. That turned out to be sound advice — the assignment included something extra.
Among the downloaded archive files were heavily obfuscated scripts. These scripts are designed to steal data from multiple browsers: session tokens, stored passwords and cryptocurrency wallets were their targets.
A familiar tactic
This method is familiar: stealing browser data is a common objective in numerous attacks, and we’ve seen similar schemes delivered via direct messages on social media. Such attacks can cost victims not only account access but significant money. In these fake job postings or “technical tests,” applicants are typically asked to submit a CV — a routine step in any recruitment process and not inherently suspicious. In this case, however, a legitimate CV containing accurate, complete and current personal information is handed over to a criminal organization. Consider what criminals might do with that information. One likely scenario is creating fraudulent job applications for remote positions — a tactic previously documented, where threat actors pose as legitimate applicants to infiltrate companies. Increasingly, AI is used to produce convincing forgeries that can even pass a video interview.
Who is behind it?
Reports point to the North Korean group Lazarus as responsible. This group is known for stealing data from computers and emptying bank and cryptocurrency accounts — actions that some analysts believe help fund the North Korean regime. Estimates suggest that state-linked actors have profited heavily from cryptocurrency theft.
How to protect yourself from criminals posing as recruiters
If you’re open to new opportunities and someone contacts you claiming to look for someone with your qualifications, watch for these warning signs and take precautions:
- Ask for an alternate contact method, such as a business phone number or a corporate postal address. Legitimate recruiters should have no issue providing another way to reach them.
- If you’re asked to provide a work sample or complete a “technical test,” carefully verify the origin of any files or links you receive before downloading or running anything.
- A GitHub repository with a random username unrelated to the company in question is a major red flag.
- Check the company’s official website. If you can’t find a job listing that matches the role the recruiter described — or if the company has no open positions at all — proceed with caution.
- Examine email domains closely. Ensure the sender’s address matches the company domain listed on their site. Pay particular attention to lookalike characters, such as lowercase “l” versus uppercase “I,” which threat actors often use to spoof legitimate addresses.
Taking these simple steps can greatly reduce your risk of falling victim to fake recruitment schemes. Treat unexpected technical requests with skepticism, verify identities through multiple channels, and avoid running unverified code or installing packages on your system. If something seems off, pause and investigate — it could save you from a costly breach.