Cybercrooks Are Using Fake Job Listings to Steal Crypto
2025-02-13 • Moonlock •
https://hackernoon.com/cybercrooks-are-using-fake-job-listings-to-steal-crypto
Moonlock describes a fake-interview campaign that lures job seekers into running commands from malicious recruiting sites, with a focus on cryptocurrency theft. The macOS chain downloads ffmpeg.sh, selects an ARM or Intel VCam archive from attacker infrastructure, installs vcamservice.sh under /var/tmp/VCam, and registers a LaunchAgent at ~/Library/LaunchAgents/com.vcam.plist for persistence. The package also launches ChromeUpdateAlert.app while the backdoor remains available for remote command execution. The source tracks rotating fake-interview domains and notes attempts to abuse cryptocurrency-related browser-extension permissions, including MetaMask, to reach wallet data.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | api.nvidia-release.org | 2025-01-16 | 2025-08-25 |
| HASH | 60ec2dbe8cfacdff1d4eb093032b030… | 2025-01-05 | 2025-08-25 |
| HASH | b72653bf747b962c67a5999afbc1d91… | 2025-01-05 | 2025-08-25 |
| IPv4 | 216.74.123.191 | 2025-01-05 | 2025-08-25 |
| DOMAIN | talentcompetency.com | 2025-01-16 | 2025-02-25 |
| DOMAIN | willoassessment.com | 2025-01-09 | 2025-02-25 |
| DOMAIN | hiringinterview.org | 2025-01-09 | 2025-02-25 |
| HASH | 3c4becde20e618efb209f97581e9ab6… | 2025-02-04 | 2025-02-19 |
| HASH | 3697852e593cec371245f6a7aaa3881… | 2025-02-13 | 2025-02-13 |
| HASH | 5df555b868c08eed8fea2c5f1bc82c5… | 2025-02-13 | 2025-02-13 |
| HASH | 3210d821e12600eac1b9887860f4e63… | 2025-02-13 | 2025-02-13 |
| HASH | 0a49f0a8d0b1e856b7d109229dfee79… | 2025-02-13 | 2025-02-13 |
| URL | https://api.nvidia-release.org/… | 2025-02-13 | 2025-02-13 |
| DOMAIN | app.skill-share.org | 2025-02-13 | 2025-02-13 |
| DOMAIN | app.vidintroexam.com | 2025-02-13 | 2025-02-13 |
| DOMAIN | app.quickvidintro.com | 2025-02-13 | 2025-02-13 |
| DOMAIN | app.hiring-interview.com | 2025-02-13 | 2025-02-13 |
| DOMAIN | wholecryptoloom.com | 2025-02-13 | 2025-02-13 |
| DOMAIN | winyourrole.com | 2025-02-13 | 2025-02-13 |
| DOMAIN | topinnomastertech.com | 2025-02-13 | 2025-02-13 |
| DOMAIN | winterviews.net | 2025-02-13 | 2025-02-13 |
| IPv4 | 95.169.180.146 | 2025-02-13 | 2025-02-13 |
| HASH | b2a4a981ba7cc2add74737957efdfcb… | 2025-01-20 | 2025-02-13 |
| DOMAIN | digitpotalent.com | 2025-01-20 | 2025-02-13 |
| DOMAIN | digitptalent.com | 2025-01-20 | 2025-02-13 |
| DOMAIN | app.blockchain-checkup.com | 2025-01-16 | 2025-02-13 |
| DOMAIN | app.willorecruit.com | 2025-01-16 | 2025-02-13 |
| DOMAIN | app.willotalentes.com | 2025-01-16 | 2025-02-13 |
| DOMAIN | app.willohiringtalent.org | 2025-01-16 | 2025-02-13 |
| DOMAIN | app.willotalents.org | 2025-01-16 | 2025-02-13 |
| DOMAIN | willoassess.net | 2025-01-09 | 2025-02-13 |
| DOMAIN | willoassess.org | 2025-01-09 | 2025-02-13 |
| DOMAIN | blockchain-assess.com | 2025-01-09 | 2025-02-13 |
| DOMAIN | fundcandidates.com | 2025-01-09 | 2025-02-13 |
| DOMAIN | willocandidate.com | 2025-01-09 | 2025-02-13 |
| DOMAIN | willointerview.com | 2025-01-09 | 2025-02-13 |
| DOMAIN | interviewnest.org | 2025-01-09 | 2025-02-13 |
| DOMAIN | web.videoscreening.org | 2025-01-09 | 2025-02-13 |
| DOMAIN | willoassess.com | 2025-01-09 | 2025-02-13 |
| URL | https://api.nvidia-cloud.online… | 2025-01-05 | 2025-02-13 |
| URL | https://api.nvidia-cloud.online… | 2025-01-05 | 2025-02-13 |
| DOMAIN | connect.trezor.io | 2025-01-05 | 2025-02-13 |
| DOMAIN | api.nvidia-cloud.online | 2025-01-05 | 2025-02-13 |