The cybersecurity landscape is experiencing a major shift in how attackers operate. Threat actors have moved away from traditional hunting methods like phishing emails and cold outreach.
Instead, they are now creating sophisticated traps designed to make high-value targets walk directly into their schemes.
This new approach, called “inbound” social engineering, is currently focusing on Web3 and cryptocurrency sectors with significant success rates.
The attack strategy relies on a simple but effective psychological approach. Attackers create convincing fake companies or copy legitimate Web3 firms, then post job openings for attractive positions through websites like youbuidl.dev.
This method lowers the victim’s defenses because job seekers believe they are the ones initiating contact.
They do not expect danger from an opportunity they are pursuing. The real target here is the person behind the screen, who likely has personal cryptocurrency wallets installed on their computer.
Many victims even apply for these fake jobs using their corporate laptops, giving attackers a direct path into major financial institutions.
Aris Haryanto identified and documented this emerging threat after discovering the technical mechanics of how the malware operates within these recruitment campaigns.
His analysis revealed that the attack follows a standard corporate interview workflow to maintain legitimacy throughout the process.
The execution begins when candidates receive a professional-looking interview invitation from fraudulent domains like collaborex.ai. During the video interview stage, victims are asked to download what appears to be a legitimate meeting application.
The malicious file, named collaborex_setup.msi, is downloaded and executed on the victim’s system. Once launched, the installer quietly initiates a Command and Control connection to the attacker’s server at IP address 179.43.159.106 in the background.
Command and Control Communication and Data Exfiltration
The malware’s connection to the C2 server marks the beginning of complete system compromise. When the collaborex_setup.msi file runs, it establishes a hidden communication channel with the attacker’s infrastructure.
This connection allows the threat actors to remotely control the infected computer without the user’s knowledge.
The attackers can then extract sensitive information such as private cryptocurrency keys, wallet credentials, and corporate data.
For developers working at crypto exchanges or DeFi protocols, this access means direct theft of institutional funds and intellectual property.
The malware runs silently in the background, making it extremely difficult for standard antivirus solutions to detect the malicious activity.
The threat actors can maintain persistent access to the system indefinitely, continuously monitoring and stealing data as needed.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
