Squid Werewolf Mimic as Recruiters Attacking Job Seekers To Exfiltrate Personal Data

A sophisticated cyber espionage campaign has been uncovered where threat actors are masquerading as recruiters to target job seekers and employees of specific organizations.

The attackers send phishing emails disguised as job opportunities from legitimate industrial organizations, attaching malicious files that appear to be employment offers but actually deploy malware to steal sensitive information.

The campaign uses social engineering tactics centered around job recruitment, a particularly effective strategy as job seekers are more likely to open attachments related to potential employment opportunities.

The emails contain password-protected zip files with seemingly legitimate job descriptions that conceal malicious code.

BI.Zone Security researchers identified this campaign in December 2024, attributing it to a threat actor known as Squid Werewolf (also tracked as APT37 or Reaper Group).

Their analysis revealed the attack had been carefully designed to evade detection while establishing persistent access to victims’ systems.

The initial infection occurs when victims open what appears to be a PDF job description, but is actually a shortcut file (.lnk) with a double extension.

This file executes a sophisticated PowerShell command that extracts and deploys multiple components hidden within the attachment itself.

Once executed, the malware copies the legitimate Windows utility dfsvc.exe to the startup folder, ensuring it runs automatically when the system boots. It then creates supporting files necessary for the attack, including a configuration file and a malicious DLL.

Mechanics of the Attack

The PowerShell command executed by the LNK file reveals the sophisticated nature of this attack:

powershell.exe -nop -c $t=$env:appdata+'\Microsoft\Windows\Start Menu\Programs\Startup';if(Get-ChildItem $env:temp -recurse 'Предложение о работе.pdf.lnk'){$k=New-Object IO.FileStream ($env:temp+'\'+((Get-ChildItem $env:temp -recurse 'Предложение о работе.pdf.lnk').Directory).Name+'\'+'Предложение O работе.pdf.lnk'),'Open','Read','ReadWrite'}

The malware employs multiple evasion techniques, including time-based sandbox detection and internet connectivity checks.

It contacts a command-and-control server at hwsrv-1253398.hostwindsdns[.]com to download additional encrypted payloads, which are then decrypted using AES128 CBC encryption.

To protect against such threats, security experts recommend implementing email security solutions, avoiding opening attachments from unknown senders, and deploying endpoint detection and response tools capable of identifying suspicious PowerShell commands and activities in startup locations.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.