“On January 7, 2025, CrowdStrike identified a phishing campaign exploiting its recruitment branding to deliver malware disguised as an “employee CRM application.” The attack begins with a phishing email impersonating CrowdStrike recruitment, directing recipients to a malicious website. Victims are prompted to download and run a fake application, which serves as a downloader for the cryptominer XMRig”, reads the report published by CrowdStrike.
The email tricks recipients by claiming they have been selected for a junior developer role and must join a recruitment call by downloading a CRM tool via an embedded link. The phishing message directs the victims to a malicious website that appears to offer download options for both Windows and macOS.
However, regardless of the chosen option, a Windows executable written in Rust is downloaded. The application serves as a downloader for XMRig. The CrowdStrike researchers noticed it uses evasion mechanisms, such as detecting whether an anti-malware tool is running. If these checks are passed, the executable displays a fake error message. Then executable proceeds to download additional payloads to achieve persistence and run the XMRig miner.
The company recommended avoiding any interviews carried out through instant message or email, and refusing to download any software for an interview. It also stressed the importance of verifying the authenticity of any CrowdStrike hiring communications by contacting recruiting@crowdstrike.com.
Read more about it here.