Cybercrime is an ever-evolving beast. As companies and individuals get better at protecting themselves, cybercriminals seem to be always one step ahead. This time, it is jobseekers who are at risk. A new tactic involving a phishing campaign disguised as a legitimate job recruitment process was discovered by a Texas-based cybersecurity company CrowdStrike in early January 2025. Bad actors distributed phishing emails impersonating CrowdStrike recruitment that prompted victims to download and run a fake application that disguised a downloader for cryptocurrency mining malware. This cruel scam is a harsh reminder that even something as exciting as a potential job prospect can become a weapon.

How Does it Work?

The scam begins with a seemingly innocent email. Appearing to be from CrowdStrike’s recruitment team, the message brings some good news - recipient has been shortlisted for a junior developer role and is invited to attend an interview. To proceed, victims are required to download and run their ‘new applicant and employee CRM app’ from a website provided. It has been created to ‘streamline the onboarding process’ and is available for both Windows and MacOS. What’s not to trust?
However, once downloaded, the application - a Windows executable written in Rust despite the option of MacOS - performs a series of environment checks to evade detection. These include verifying the presence of debugging tools, checking for virtualization software, and ensuring the system has sufficient resources (e.g., at least two CPU cores and a minimum number of active processes). If the system passes these checks, the malware displays a fake error message, masking its true activity: downloading and executing the XMRig cryptominer from GitHub.

What is XMRig?

XMRig is an open-source software commonly used for mining cryptocurrencies like Bitcoin and Monero. While openly-available and legitimate in its own right, XMRig can be misused by cybercriminals in cryptojacking attacks when it is installed without victim’s consent and used to mine cryptocurrency on the attacker’s behalf. In this campaign, the malware uses configuration files fetched from a remote server to run XMRig quietly in the background, using system resources and generating cryptocurrency for the attackers without them spending any money for the equipment and energy required for such pricy operations. It is designed to operate indefinitely, even if the system is rebooted, unless detected and removed.

How does a deepfake voice scam call work?

The phone calls tend to sound urgent, requiring immediate action. Someone pretending to be a family member may claim they were in an accident and need financial aid or a voice claiming to be a policeman may accuse you of connection to a crime and request an immediate payment of a “fine” to avoid more severe consequences. In some instances, the voice may belong to a colleague or head of a company asking for confidential data or an immediate bank transfer.
Whoever is on the other end will attempt to create a high-pressure situation and cause a sense of panic to prevent the victim from thinking rationally.

Why Does it Work?

What makes this campaign successful is the bad actors’ careful attention to detail. The phishing emails and websites are created to closely mimic CrowdStrike’s branding, even redirecting users to the legitimate CrowdStrike support portal after the malware is installed. This level of sophistication is rare in phishing attacks, which often rely on generic or poorly constructed lures which tend to contain spelling mistakes or low-quality imaging.
“The campaign uses URLs that were created to look like they might actually belong to CrowdStrike,” said Chance Caldwell, senior director of the Phishing Defence Center at Cofense. “Most of the use cases we see are lucky to have proper branding, much less the extended work done here to really portray themselves as CrowdStrike.”.

Why Recruitment Scams Work?

Recruitment scams are particularly effective because they exploit their victims’ hopes and desire to gain employment. Job seekers are often excited to respond to potential opportunities, especially when they have been looking for a while and an offer comes from a reputable company like CrowdStrike. As nowadays most of the recruitment process happens online and many employers conduct interviews remotely, it has made it easier for bad actors to blend in and invent new tactics that were not available to them before. In addition, with the rise in popularity of using AI-powered tools in the recruitment process, potential candidates are aware that oftentimes they will not be in touch with a real person until late stages of the process. This knowledge combined with the use of professional language, realistic job descriptions, and convincing-looking interview scheduling links can be enough to trick an excited (or simply tired) jobseeker.

How Can I Protect Myself?

CrowdStrike has issued several warnings to job seekers and provided guidelines to help identify fraudulent recruitment communications. As this tactic can be used to impersonate any company currently recruiting, the recommended steps can be and should be applied when corresponding with all potential employers.
Key recommendations include:
-  Verify the source: always check the sender’s email address and domain. Legitimate companies use official domains and do not conduct interviews via instant messaging platforms like WhatsApp or Facebook Messenger.
-  Avoid downloading software: no legitimate employer will ask you to download an executable file as part of the interview process. If an application like Zoom, Microsoft Teams or Cisco Webex is required to attend an interview, always download it from an official website and never from a link shared in an email or a message.
-  Contact the company directly: if in doubt, reach out to the company’s HR or recruitment team using contact information from their official website.
-  Use antivirus and endpoint protection: ensure your system is protected with up-to-date security software that can detect and block malicious downloads.
-  Report: if you fell victim to a cybercrime, report it to appropriate authorities to avoid the spread of the campaign. Various countries have separate authorities for reporting cybercrime incidents, but appropriate information can be found by inputting ‘report a cybercrime’ in a search engine.

Conclusion

The CrowdStrike impersonation scam is a stark reminder that cybercriminals are constantly adapting their tactics to exploit new vulnerabilities. In this case, the vulnerability is human trust. As job hunting increasingly moves online, and as AI tools become more common in recruitment, it’s easier than ever for scammers to blend in and deceive even the most cautious candidates.
By staying informed, verifying sources, and reporting suspicious activity, jobseekers can protect themselves and help prevent these scams from spreading further. In today’s digital world, cybersecurity isn’t just a company’s responsibility - it’s personal.

Sources

https://www.crowdstrike.com/en-us/blog/recruitment-phishing-scam-imitates-crowdstrike-hiring-process/ 
https://www.darkreading.com/threat-intelligence/crowdstrike-job-interviews-hacker-tactic 
https://thehackernews.com/2025/01/crowdstrike-warns-of-phishing-scam.html 

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.