CrowdStrike has recently warned about a phishing campaign that exploits its own brand to distribute a cryptocurrency miner. The attack begins with a phishing email that impersonates the company’s recruitment process, specifically targeting potential candidates for a junior developer role. The email directs recipients to a fake website where they are prompted to download a supposed customer relationship management (CRM) application. This application, however, is a downloader for the XMRig cryptominer, which is then installed on the victim’s machine.
The phishing email lures recipients with the promise of progressing to the next stage of the hiring process, suggesting they need to download the CRM tool to join a call with the recruitment team. Once the victim downloads and runs the fake application, it performs a series of checks to ensure the system is suitable for the malware’s execution. These checks include detecting the presence of debugging tools, scanning for malware analysis or virtualization software, and ensuring the system has a certain number of active processes and at least two CPU cores. If these conditions are met, the malware proceeds with its payload download.
After passing these checks, the application will display an error message to the victim about a failed installation while secretly downloading the XMRig cryptominer from a GitHub repository and additional configuration from an external server. The miner then runs in the background, consuming system resources. To maintain persistence on the infected machine, the malware adds a batch script to the Windows Start Menu Startup folder, ensuring that the miner continues to run even after the system is rebooted.
CrowdStrike discovered this malicious campaign on January 7, 2025, and has confirmed awareness of similar scams involving false job offers. The company emphasized that the phishing attempt was highly sophisticated, using its own branding and recruitment process as bait. This development highlights the growing trend of cybercriminals using familiar organizations and job offers as part of their attack strategies to distribute malware.
