Threat Actors with Fake Job Lures Attacking Job Seekers to Deploy Advanced Malware

In recent months, a sophisticated campaign has emerged in which state-linked threat actors are leveraging fake job offers to ensnare unsuspecting job seekers and deliver advanced malware.

These attackers craft convincing phishing emails that direct victims to look-alike career portals, impersonating leading aerospace and defense firms.

The lure often begins with a personalized outreach on professional networks, complete with detailed job descriptions and branded graphics, before guiding candidates to enter credentials on counterfeit login pages.

Once authenticated, the site delivers a malicious archive containing bespoke implants that establish stealthy footholds on victims’ machines.

Check Point analysts noted that the evolution of this operation represents a marked shift from mass-market phishing to tightly controlled, per-target engagements.

By registering domains behind privacy services and provisioning each victim with unique credentials, the attackers maintain operational security and minimize detection.

The malicious payloads are delivered only after successful authentication, ensuring that security researchers cannot easily uncover the sites through generic crawling.

Emerging variants of the malware, dubbed MiniJunk and MiniBrowse by researchers, incorporate modular architectures with obfuscation layers that thwart static and dynamic analysis.

MiniJunk focuses on long-term persistence: it modifies Windows API calls to load malicious DLLs from alternate paths, a technique that bypasses common antivirus heuristics.

Meanwhile, MiniBrowse silently harvests web session cookies, browser history, and saved credentials before exfiltrating the data over encrypted channels.

The impact of these campaigns extends beyond individual compromise. Targeted organizations span the Middle East and Europe, including critical sectors such as telecommunications, aerospace, and defense contracting.

In one intercepted attempt, a candidate applying for an engineering role at a European aerospace firm unwittingly deployed a SlugResin-derived payload that established a reverse shell connection within seconds of execution.

Through these infections, threat actors gain persistent access to corporate networks, opening pathways for espionage, intellectual property theft, and subsequent lateral movement.

Infection Mechanism and DLL Hijacking

At the core of the MiniJunk variant lies a refined DLL hijacking strategy that subverts legitimate Windows processes.

After initial execution, the loader modifies the process’s search path by patching the PEB (Process Environment Block), redirecting DLL resolution to attacker-controlled directories.

The following pseudocode illustrates the key steps:-

// Patch PEB to redirect DLL search
PPEB peb = NtCurrentTeb()->ProcessEnvironmentBlock;
UNICODE_STRING evilPath = RTL_CONSTANT_STRING(L"C:\\Users\\Public\\WinSys\\");
peb->ProcessParameters->DllDirectory = evilPath;

// Load target process with hijacked DLLs
STARTUPINFO si = {0};
PROCESS_INFORMATION pi;
CreateProcessW(L"C:\\Windows\\System32\\svchost.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
ResumeThread(pi.hThread);

This technique ensures that when svchost.exe or similar trusted binaries initialize, they load malicious libraries instead of legitimate system DLLs.

By embedding the loader within a seemingly benign executable, the attackers achieve stealth and persistence without raising immediate alarms on endpoint security tools.

Organizations should enforce strict code integrity policies and monitor unusual DLL load behaviors to detect and mitigate such attacks.

Continuous analysis of process injection patterns and validation of DLL search paths will be critical defenses against this emerging threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.