Git-Hooks

“What was given as work concealed its blade in the hidden hooks.” Executive Summary This report analyzes a PawCommerce-themed developer-task lure delivered during a fake recruitment workflow. The initial contact occurred through LinkedIn, where a recruiter persona using the display name Nathaniel Nicdao asked whether the target would be open to a brief conversation and requested a CV or resume. The LinkedIn profile was later unavailable. A subsequent Google Calendar invitation used the persona Mark Harris <mark.harris.workspace@gmail[.]com>, and the development task was delivered through a OneDrive share displaying the account name Mimori Okamoto. The OneDrive page hosted a ZIP file named pawCommerce.zip. ...

“The dev branch was a threshold; crossing it woke the hook.” Executive Summary This report analyzes a recruitment-themed malware delivery attempt that abused a developer review workflow. A LinkedIn recruiter persona using the name Bill Johnson, CTS sent the target a LimeWire file-sharing URL for an archive named AI-Powered_RWA_Finance_Platform.zip: hxxps://limewire[.]com/d/Fw4jF#TNRRfGHC7h The lure framed the work as a review of an abandoned AI-powered real-world-asset finance platform. The actor claimed prior developers were poor at Git and pointed the reviewer at a repository snapshot where the master branch was incomplete. The repository README then instructed the reviewer to run: ...

“They called it a haven; the rebase was the altar, and the hook was the knife.” Executive Summary This report analyzes a Kryptic Haven-branded recruitment lure that began with a LinkedIn message from a recruiter persona named Tatiana Zadorozhnia. The report treats Kryptic Haven as lure branding and low-assurance recruitment infrastructure; it does not establish whether any legitimate company, brand owner, or third-party profile was actor-created, compromised, impersonated, or otherwise misused. The message directed the target to a 24-hour hiring-process link at: ...

“The contract promised trust; the hooks carried the knife.” Executive Summary The case began with a recruitment-themed approach using MansaTrade-branded identity material. After the victim was contacted through LinkedIn about a purported job opportunity and asked to provide a CV and email address, a recruiter persona calling himself Enrique used that address to deliver a purported smart-contract developer task as a ZIP attachment. The follow-on email was displayed as coming from Recruiter of MansaTrade <recruiter@mansatrade[.]org>. Header analysis shows that the message passed SPF and DMARC at Google and was authenticated through Hostinger/MailChannels infrastructure for recruiter@mansatrade[.]org; DKIM was neutral because the body hash did not verify. This means the message should not be treated as simple display-name spoofing. It does not establish whether the mailbox or domain was actor-created, compromised, legitimately operated by the brand, or otherwise misused. ...