{
	"id": "8bb037ab-a265-4957-a8c2-c0d4fbd731b4",
	"created_at": "2026-04-06T00:18:35.537568Z",
	"updated_at": "2026-04-10T03:22:01.298996Z",
	"deleted_at": null,
	"sha1_hash": "1331ea8eeeffec57d28746d27811615092c75415",
	"title": "Fake Cisco Job Posting Targets Korean Candidates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 952300,
	"plain_text": "Fake Cisco Job Posting Targets Korean Candidates\r\nBy Edmund Brumaghin\r\nPublished: 2019-01-30 · Archived: 2026-04-05 20:30:53 UTC\r\nEdmund Brumaghin and Paul Rascagneres authored this post, with contributions from Jungsoo An.\r\nExecutive summary  \r\nCisco Talos recently observed a targeted malware campaign being leveraged in an attempt to compromise specific\r\norganizations. The infection vector associated with this campaign was a Microsoft Word document that was\r\ndisguised as a job posting for Cisco Korea, and leveraged legitimate content available as part of job postings on\r\nvarious websites. EST Security also described this campaign in a blog post this week. This malicious Office\r\ndocument appears to have been the initial portion of what was designed to be a multi-stage infection process.\r\nDuring our analysis of this campaign, we located additional samples that we believe are linked to multiple\r\nprevious campaigns associated with the same threat actor. Each of the campaigns leveraged malicious documents\r\nand initial stage payloads that all featured similar tactics, techniques, and procedures (TTP). Due to the targeted\r\nnature of this campaign, the lack of widespread indicator of compromise data, and the apparent nature of the\r\ntargeting, this appears to be associated with a sophisticated attacker. This sort of attack has become more common\r\nas threat actors continue to target users to gain an initial foothold in environments. Organizations are encouraged\r\nto employ a defense-in-depth approach to security and disallow the execution of macros where possible.\r\nMalicious Office document\r\nThe malicious document purports to relate to an employment opportunity with Cisco in Korea with the name \"Job\r\nDescriptions.doc.\" The contents of the document match legitimate job descriptions that are available online.\r\nBelow is a screenshot showing the contents of the decoy document.\r\nhttps://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nPage 1 of 10\n\nThe contents of this document appear to be copied from job descriptions that are publicly available online. Here's\r\nan example of these documents:\r\nhttps://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nPage 2 of 10\n\nThe file metadata associated with the Word document indicates that it may have been created in 2018, but was last\r\nsaved on Jan. 29, 2019.\r\nThe Microsoft Word document contains malicious macros that are responsible for extracting a malicious PE32\r\nexecutable called \"jusched.exe\" (the same name than the Java updater binary) which is dropped into\r\n%APPDATA%\\Roaming. The macro is obfuscated:\r\nhttps://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nPage 3 of 10\n\nThe encoded string is a PE32 executable encoded with the XOR key: 0xe7. Below is the decoded value of the\r\nvariable str(1), which we can identify as a PE header:\r\nThe functionality present in the PE32 is described in the next section.\r\nFirst-stage malware payload\r\nBinary purpose\r\nThe PE32 executable attempts to contact the command and control (C2) server over HTTP, presumably to retrieve\r\nadditional instructions (script or PE32 executable) for execution on the infected system.\r\nUnfortunately, at the time of our analysis, the second-stage payload was no longer available and the HTTP\r\nrequests resulted in HTTP 404 messages. The domain contacted is a legitimate website that had been\r\nhttps://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nPage 4 of 10\n\ncompromised and was being used to host malicious content (www[.]secuvision[.]co[.]kr/).\r\nAPI obfuscation\r\nThe attackers hid four specific API calls. The APIs are not listed in the import table, but they are loaded\r\ndynamically using GetProcAddess(). The function names are obfuscated to make static analysis more difficult.\r\nHere's one example:\r\nWe can see the library name (kernel32.dll) but not the function name (3ez7/+r7zuzx/fvt7d8=). The string is\r\ndecoded by using mathematical byte operations. Below are the decoded APIs:\r\n3ez7/+r7zuzx/fvt7d8= -\u003e                        CreateProcessA()\r\n    2vvy++r7y+zy3f/99vvb8Ors598= -\u003e     DeleteURLCacheEntryA()\r\n    y8zS2vHp8PLx//rK8dj38vvf -\u003e URLDownloadToFileA()\r\n    y8zS0e778M3q7Pv/898= -\u003e                  URLOpenStreamA()\r\nThe APIs are linked to the process creation, as well as network communications. We assume the attackers were\r\nattempting to hide suspicious APIs from static analysis detection engines that use the import table. The C2 server\r\nis listed in plain text, indicating that this functionality was not implemented to thwart manual analysis.\r\nhttps://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nPage 5 of 10\n\nLinks to previous campaigns\r\nDuring our analysis of this campaign, we identified several additional samples that we believe are linked to this\r\ncampaign.\r\nCase 1\r\nOne of these related samples was used in August 2017 and featured the filename \"주요 IT 정보보호 및 보안 업\r\n체 리스트.zip\" (\"List of major IT information security and security companies\"). The ZIP archive contains an\r\nOffice document that features the same macros as the original sample, but is responsible for dropping a different\r\nPE32 executable. The macros also use the same XOR key as the original sample.\r\nThis document describes a list of companies with a summary of their products.\r\nThe macros were responsible for dropping a different PE32 executable, that was also called \"jusched.exe.\" The\r\nAPI obfuscation algorithm used in this campaign was the same as the one used in our original sample. Below is a\r\nscreenshot showing the code execution flow in both samples. On the left is the sample from August 2017. On the\r\nright is the sample from January 2019.\r\nhttps://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nPage 6 of 10\n\nThe C2 server in this campaign was www[.]syadplus[.]com, which is another legitimate website that was\r\ncompromised.\r\nThe SHA256 of the Office document is:\r\n809b1201b17a77732be3a9f96a25d64c8eb0f7e7a826c6d86bb2b26e12da7b58.\r\nThe SHA256 of the PE32 executable is:\r\nadfb60104a6399c0b1a6b4e0544cca34df6ecee5339f08f42b52cdfe51e75dc3.\r\nCase 2\r\nThe second campaign we identified was observed in November 2017. In this case, the filename was \"이력서_자\r\n기소개서.xls\" (\"Resume _ self introduction\"). Similar to the previously described campaigns, this document\r\nleveraged the same macro execution and XOR key, but was responsible for dropping another PE32 executable.\r\nhttps://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nPage 7 of 10\n\nIn this campaign, the malicious document was simply an empty resume template.\r\nThe C2 server used in this campaign was ilovesvc[.]com, another example of a legitimate website that had been\r\ncompromised by the threat actor and used to host malicious content.\r\nThe SHA256 of the Office document is:\r\nbf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b.\r\nThe SHA256 of the PE32 is:\r\n1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a.\r\nConclusion\r\nThese campaigns demonstrate the increasingly sophisticated nature of attacks that are being leveraged by threat\r\nactors attempting to compromise organizations around the world. In this most recent campaign, the attackers took\r\nthe content of legitimate job postings and used that in an attempt to add legitimacy to the malicious Office\r\ndocuments being delivered to potential victims. The use of the same TTPs across multiple campaigns over a long\r\nperiod demonstrates that this threat actor has been operational for years, and is continuing to operate to achieve\r\ntheir mission objectives. Cisco Talos continues to monitor the global threat landscape to ensure that customers\r\nremain protected from these as well as additional attacks that may be observed in the future.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nPage 8 of 10\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs are associated to this campaign:\r\nMalicious Office Documents\r\n7af59922d4c1b4f2d589cb2853afb543b37a1f23da0cf0180a693f9748e05906 (SHA256)\r\nbf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b (SHA256)\r\n809b1201b17a77732be3a9f96a25d64c8eb0f7e7a826c6d86bb2b26e12da7b58 (SHA256)\r\nMalicious PE32 Executables\r\ne259aa1de48fd10b7601c4486b841428fbd6cd1a4752cf0d3bbe1799116ae6e6 (SHA256)\r\ncd2e8957a2e980ffb82c04e428fed699865542767b257eb888b6732811814a97 (SHA256)\r\nhttps://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nPage 9 of 10\n\n1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a (SHA256)\r\nadfb60104a6399c0b1a6b4e0544cca34df6ecee5339f08f42b52cdfe51e75dc3 (SHA256)\r\nDomains\r\nIt is important to note that in all of the campaigns that we observed, the domains being leveraged by the malware\r\nwere legitimate websites that had been compromised by the threat actor for the purposes of hosting malicious\r\ncontent:\r\nwww[.]secuvision[.]co[.]kr\r\nilovesvc[.]com\r\nwww[.]syadplus[.]com\r\nBelow is a screenshot showing how AMP can protect customers from this threat.\r\nSource: https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nhttps://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html"
	],
	"report_names": [
		"fake-korean-job-posting.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434715,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1331ea8eeeffec57d28746d27811615092c75415.pdf",
		"text": "https://archive.orkl.eu/1331ea8eeeffec57d28746d27811615092c75415.txt",
		"img": "https://archive.orkl.eu/1331ea8eeeffec57d28746d27811615092c75415.jpg"
	}
}