SlowMist: Analysis of LinkedIn Recruitment Phishing

Authors: 23pds & Thinking
Editor: Liz

Background

In recent years, phishing incidents targeting blockchain engineers on LinkedIn have occurred from time to time. Yesterday, we noticed a post on X by @_swader_, which is a typical example of LinkedIn recruitment phishing aimed at blockchain engineers. Let’s analyze this case in detail.

https://x.com/_swader_/status/1900116168544817589

Process

According to Bruno’s description, someone claiming to be a project representative reached out to him proactively and sent him a lengthy project introduction:

Content Overview

The message primarily focused on a job opportunity for a blockchain-based Socifi game and staking smart contract platform.

Project Overview

The project is a staking smart contract platform built around a Socifi game. Its core functionalities include:

• Decentralized Exchange
• Gaming
• Multi-game community features
• NFTs and Tokens
• Live streaming services

Recruitment Intent

• Seeking developers to join the project.
• Backend and smart contract developers have already been hired.
• Bruno Skvorc was recommended as the Project Manager / Frontend Development Lead.

MVP Design

• The sender provided a Figma design link, pointing to the MVP v2 version.

Recruitment Process

1. Background check
2. Online coding test
3. Technical interview

At first, the recruiter was vague about details. Then, he started calling Bruno, trying to create a sense of urgency and importance. Eventually, he provided a repo link: https://bitbucket[.]org/ventionteam/gameplatform/src/main/

User and Code Submission Time:

Let’s examine the code details.

Tactics and Techniques

Let’s take a look at the code explanation:

So, is its actual functionality as described?

Let’s first take a look at package.json:

No malicious third-party modules were found, so it doesn’t seem to be an attack via a malicious NPM package. Let’s continue the analysis.

When we look at server.js, if we're not careful, we might stop at line 47, as at first glance, nothing seems suspicious.

However, take a closer look at line 46 — what is that? Plus, there’s a small horizontal scrollbar, which indicates that there’s something hidden on the right! Let’s scroll over and take a look.

This is an encrypted malicious payload. What exactly does it do? Let’s take a look at the code:

(The above image shows part of the code.)

This code is encrypted, and not just once — it’s encoded in base64.

When running npm start, everything seems to function normally. So, what exactly is the purpose of this payload?

Let’s test it in a virtual machine (professional operation, do not attempt to replicate).

We found that this attack method involves various obfuscation techniques, making decryption quite troublesome. Instead, we directly used a Hook method to extract the C2 link.

Successfully captured malicious IPs:

216.173.115[.]200
95.179.135[.]133
45.59.163[.]56
45.59.1[.]2
5.135.5[.]48

Malicious request: http://216.173.115[.]200:1244/s/bc7302f71ff3.

Interestingly, this malicious request managed to bypass Little Snitch’s monitoring and detection.

The attacker downloads and executes two files: test.js and .npl.

The .npl trojan is primarily used for privilege persistence.

Here is the decoded content of .npl:

The above code is used to download a Python program named “pay,” with its decoded content as follows:

The attacker uses Python to execute .npl to maintain persistence.

The test.js script is primarily used to steal browser data, such as plugin wallet data and saved account credentials.

(Partial code snippet from test.js)

Decryption (snippet):

Based on our analysis, once the victim executes the code, the payload will carry out the following actions:

1. Collect system/environment data (home directory, platform, hostname, username, etc.).
2. Send an HTTP request to a remote server to fetch additional data or a valid payload.
3. Write the retrieved payload to the local file system (typically in the home directory).
4. Execute these payloads using Node’s child_process.exec.
5. Maintain a connection or “call back” system data to the C2 server.
6. Repeatedly perform this activity at intervals, sending heartbeat packets, and retrying multiple times if the initial attempt fails.
7. Silently monitor user behavior in preparation for stealing crypto assets. The code attempts to read specific directories such as /Library/Keychains/ (a critical macOS storage path), steal SSH private keys, extract browser extension data, and retrieve browser-stored account credentials.

Meanwhile, @blackbigswan identified the same user:

• https://github[.]com/DavidDev0219
• https://github[.]com/vention-dev
• https://github[.]com/FortuneTechWorld

We suspect that these accounts belong to the same group of attackers and will not conduct further analysis.

Mitigation Recommendations

Attackers often distribute malicious files through Telegram, Discord, and LinkedIn. To counter such phishing attacks, we propose the following recommendations from both user and enterprise perspectives:

For Users

• Be cautious of suspicious job offers or freelance opportunities that require downloading or running code from platforms like GitHub. Always verify the sender’s identity through the company’s official website or email and avoid falling for misleading phrases like “high-paying, time-limited tasks.”
• When handling external code, thoroughly review the project source and author background. Never execute high-risk projects without verification. If necessary, run suspicious code in a virtual machine or sandbox environment to mitigate risks.
• Remain vigilant about files received via Telegram, Discord, or similar platforms. Disable automatic downloads and manually scan files before opening them. Be wary of requests to execute scripts under the guise of “technical tests.”
• Enable multi-factor authentication (MFA) and regularly update strong, unique passwords to prevent cross-platform credential reuse.

For Enterprises

• Conduct regular phishing attack simulation exercises to train employees in recognizing spoofed domains and abnormal requests.
• Deploy an email security gateway to block malicious attachments.
• Monitor code repositories for potential leaks of sensitive information.
• Establish an incident response mechanism for phishing attacks, combining technical defenses with user awareness strategies to minimize the risk of data breaches and financial losses.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.