Cybersecurity experts are tracking a new trend called inbound social engineering where attackers lure high-value targets into malicious schemes through fake job postings. By posing as legitimate cryptocurrency firms and conducting professional interviews, threat actors trick victims into installing malware that provides full access to personal wallets and corporate systems.

The cybersecurity landscape is undergoing a significant transformation in how attackers target high-value individuals. Threat actors are moving away from traditional outbound methods like unsolicited phishing emails in favor of inbound social engineering. This strategy involves creating sophisticated traps designed to make targets initiate contact themselves. Currently, this approach is seeing high success rates within the Web3 and cryptocurrency sectors, where the promise of lucrative career opportunities serves as an effective lure.

The core of this attack strategy relies on a psychological shift that lowers a victim's defenses. Attackers create convincing fake companies or impersonate legitimate firms to post attractive job openings on industry-specific websites. Because the job seeker is the one pursuing the opportunity, they do not expect a threat. This is particularly dangerous for developers and financial professionals who may have personal cryptocurrency wallets or access to sensitive corporate data on the same devices they use to apply for jobs.

Researcher Aris Haryanto recently documented the technical mechanics of these campaigns, noting how they mimic a standard corporate hiring workflow to maintain an air of legitimacy. Candidates are invited to interviews via professional-sounding domains and are eventually asked to download a specific application to participate in a video call. This file, often an installer package, is the primary vehicle for the attack and is designed to look like a routine piece of meeting software.

Once the malicious file is executed on a victim’s system, it silently establishes a connection to a command and control server. This hidden communication channel allows the attackers to take remote control of the computer without the user's knowledge. The malware is designed to run quietly in the background, bypassing many standard antivirus solutions while it prepares to exfiltrate sensitive information from the infected device.

The final stage of the attack focuses on data theft and long-term system compromise. Threat actors can extract private cryptocurrency keys, wallet credentials, and proprietary corporate data, leading to the direct theft of funds and intellectual property. Because the attackers can maintain persistent access to the system, they are able to monitor activity and continue stealing data over an extended period, posing a severe risk to both individual assets and institutional security.

Source: Social Engineering Campaign Uses Fake Interview Software To Target Web3 Developers