Introduction

CrowdStrike has uncovered a sophisticated phishing campaign that targets job seekers, particularly developers, by exploiting the company’s recruitment branding. This campaign involves cybercriminals impersonating CrowdStrike recruiters to deceive victims into downloading malicious software.

Description

CrowdStrike has identified a sophisticated phishing campaign targeting job seekers, particularly developers, by exploiting the company’s recruitment branding. On January 7, 2025 [6] [7], the campaign was reported to involve cybercriminals impersonating CrowdStrike recruiters to lure victims into downloading a fraudulent “employee CRM application.” Phishing emails invite recipients to schedule fake interviews for a junior developer position, misleading them into believing they have been selected for the role and directing them to a counterfeit website, “cscrm-hiring[.]com,” that closely resembles the official hiring portal. This malicious site falsely claims to offer a “new applicant and employee CRM app” for both Windows and macOS; however, both download options ultimately lead to a harmful Windows executable written in Rust.

Once downloaded [3] [7], the malware acts as a downloader for the XMRig cryptocurrency miner and conducts several environmental checks, including verifying CPU core count and active processes, to evade detection [3] [6] [7]. If these checks are passed [7], the malware displays a fake error message about a corrupt installer file before fetching a configuration file to initiate mining activities [7]. It then downloads the necessary mining software from a GitHub repository [7], operating with low CPU usage to avoid detection [7]. To maintain persistence [7], the malware adds a batch script to the Start Menu Startup directory and writes a logon autostart key into the system registry [7].

In addition to this phishing scheme, CrowdStrike warns job seekers to be vigilant against ongoing scams involving false job offers, fraudulent interviews [3] [6], and counterfeit websites [4]. Key indicators of these scams include interviews conducted via instant messaging or group chats [1], requests for candidates to purchase products or make payments as a condition of employment [1] [6], and demands to download software for interview purposes [1] [4] [5]. The company emphasizes that they do not conduct interviews through these channels and do not require candidates to download unsolicited files. To ensure the legitimacy of communications [1], job seekers should verify them by contacting recruiting@crowdstrike.com [1]. For legitimate job applications [4] [5], candidates should refer to CrowdStrike’s official Careers page to find job openings and follow the official application process [5]. This type of scam is becoming increasingly common [2], with similar operations being conducted by various threat actors, including notable groups targeting high-profile individuals in technology and government sectors [2].

Conclusion

The phishing campaign identified by CrowdStrike highlights the growing sophistication of cyber threats targeting job seekers. To mitigate these risks, individuals should remain vigilant and verify the authenticity of job-related communications. As cybercriminals continue to evolve their tactics, it is crucial for both companies and job seekers to stay informed and adopt proactive measures to protect against such scams.

References

[1] https://news.hackreports.com/fake-crowdstrike-recruiters-distribute-malware-via-phishing-emails/
[2] https://www.techradar.com/pro/security/crowdstrike-warns-of-fake-job-offer-scam-that-is-actually-just-malware
[3] https://www.darkreading.com/threat-intelligence/crowdstrike-job-interviews-hacker-tactic
[4] https://www.helpnetsecurity.com/2025/01/10/fake-crowdstrike-job-offer-email-delivers-cryptominer/
[5] https://www.infosecurity-magazine.com/news/cybercriminals-fake-crowdstrike/
[6] https://securityaffairs.com/172900/cyber-crime/crowdstrike-phishing-campaign-recruitment-branding.html
[7] https://news.cloudsek.com/2025/01/cybercriminals-use-crowdstrikes-name-to-mine-cryptocurrency/