A sophisticated malware campaign named “GrassCall” was detected that specifically targets job seekers through deceptive tactics.
The campaign, attributed to the threat group known as Crazy Evil, has been actively exploiting job hunters’ vulnerability by luring them with fake employment opportunities advertised on prominent platforms including LinkedIn and CryptoJobsList.
This newly discovered threat has been operational since early 2025, with significant attacks documented throughout February leading into March.
The attack methodology employed by the GrassCall operators involves a multi-stage approach designed to appear legitimate to unsuspecting victims.
After initial contact regarding supposed job opportunities, targets are invited to participate in video interviews for non-existent positions.
The attackers then direct victims to download what they claim is specialized video conferencing software called “GrassCall” to proceed with the interview process.
This social engineering tactic effectively bypasses initial suspicion by embedding the malicious activity within a context that feels natural to job seekers eager to advance their employment prospects.
Upon installation, the malware deploys different payloads depending on the victim’s operating system. Windows users receive a customized infostealer variant specifically engineered to extract sensitive information, while macOS users are targeted with the AMOS Stealer strain.
The comprehensive data exfiltration capabilities of these payloads represent a significant threat to personal and financial security.
The consequences of infection are severe, with the malware programmed to harvest authentication cookies, saved credentials from browsers, cryptocurrency wallet information, and additional sensitive data that can lead to identity theft and financial losses.
Cybersecurity analysts at BroadCom noted that the malware utilizes sophisticated evasion techniques to remain undetected while transmitting stolen information to command and control servers operated by the threat actors.
Intelligence reports indicate that the threat actors have recently evolved their campaign, rebranding their malicious software as “VibeCall” while maintaining similar tactical approaches.
This adaptation suggests the attack campaign remains active and profitable for the criminal operators, necessitating continued vigilance from job seekers.
Technical Details and Protection Measures
The GrassCall malware employs advanced persistence mechanisms to maintain access to compromised systems.
Upon execution, the malware creates registry entries to ensure it launches automatically when the system starts, establishing a foothold that persists through system restarts.
The Windows variant utilizes PowerShell scripts to disable security features and extract credential information from various browsers including Chrome, Firefox, and Edge.
Meanwhile, the macOS variant leverages AppleScript to bypass Gatekeeper protections and gain access to sensitive areas of the operating system.
Cybersecurity firm Symantec has implemented protection measures against this threat through multiple security products.
Their Carbon Black-based protection relies on policies that block all categories of malware from executing, including those classified as Known, Suspect, and Potentially Unwanted Programs (PUP).
The protection mechanism also includes a delayed execution feature that leverages cloud scanning capabilities to maximize the effectiveness of VMware Carbon Black Cloud reputation services in identifying and blocking malicious components.
File-based protection identifies the threat under various signatures including OSX.Trojan.Gen for macOS systems, and Trojan.Gen.MBT and WS.Malware.1 for Windows platforms.
Additionally, web-based protection covers observed malicious domains and IP addresses through security categories implemented in WebPulse-enabled products, helping to prevent the initial infection by blocking communication with command and control infrastructure.
Security experts recommend that job seekers exercise caution when receiving unsolicited job offers, particularly those requiring the download of unfamiliar software for interview processes.
Organizations should maintain updated threat intelligence and implement comprehensive security awareness training to educate employees about emerging social engineering tactics targeting job seekers in today’s competitive employment landscape.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
