A sophisticated phishing campaign has emerged targeting job seekers through fake Google career recruitment opportunities, leveraging social engineering tactics to harvest Gmail credentials and personal information.
The malicious operation exploits the trust associated with Google’s brand reputation, crafting convincing recruitment emails that direct victims to fraudulent login portals designed to capture authentication details.
The attack vector primarily relies on email-based social engineering, where cybercriminals impersonate Google HR representatives offering lucrative career opportunities.
These deceptive messages contain carefully crafted job descriptions and application processes that appear legitimate, complete with official-looking branding and professional communication styles that mirror genuine Google recruitment correspondence.
Cyber researcher g0njxa identified this campaign while investigating broader patterns of credential theft operations targeting major technology companies.
The researcher’s analysis revealed that the threat actors employ multiple attack variations, adapting their techniques to evade detection while maintaining high success rates against unsuspecting victims.
Certificate Abuse and Evasion Techniques
The malware campaign demonstrates sophisticated evasion capabilities through the abuse of Extended Validation certificates across multiple platforms.
Threat actors have obtained legitimate Apple Developer ID certificates under names such as “THOMAS BOULAY DUVAL” and “Alina Balaban,” enabling their malicious applications to bypass initial security screening mechanisms.
The signed DMG files appear completely undetected on VirusTotal, achieving full undetected status across security vendors.
Analysis of the malicious launchers reveals deliberate attempts to legitimize applications by incorporating signer names into identifier strings, following patterns like “thomas.parfums” corresponding to “Thomas Boulay Duval.”
The Mach-O binaries contain embedded references that connect to remote AppleScript payloads, utilizing the Odyssey Stealer framework for credential harvesting operations.
The campaign’s infrastructure includes compromised domains such as franceparfumes[.]org hosting malicious scripts, with command and control servers operating from IP address 185.93.89.62.
These certificates represent significant financial investments for cybercriminals, as Apple’s developer certification process involves substantial time and monetary costs, making their eventual revocation impactful to ongoing malware operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
