CrowdStrike, a leading cybersecurity firm, has uncovered a phishing campaign that uses its own branding to distribute cryptocurrency-mining malware.

Disguised as part of a recruitment process, the scam involves phishing emails claiming recipients have advanced to the next stage of hiring for a junior developer role. Victims are instructed to download a fake employee CRM tool linked in the email. The executable file secretly installs XMRig, a cryptominer, while displaying an error message to mask the installation. CrowdStrike discovered the campaign on January 7, 2025, and warned of scams involving fraudulent job offers using its name.

The phishing malware performs sophisticated checks to evade detection, scanning for debugging tools and verifying system specifications like CPU cores and process activity before proceeding. If conditions are met, it downloads the XMRig miner from GitHub and a configuration file from another server. To maintain persistence, the malware adds a batch script to the Windows Startup folder, ensuring the miner runs each time the system boots. CrowdStrike advises vigilance against unsolicited job offers and urges users to verify recruitment communications directly with official channels.

In a related development, Trend Micro has flagged a malicious proof-of-concept (PoC) targeting security researchers investigating CVE-2024-49113, known as the LDAPNightmare vulnerability in Windows. A counterfeit GitHub repository mimicking a legitimate SafeBreach Labs PoC replaces exploit files with malware disguised as "poc.exe." This binary deploys a PowerShell script to schedule a task that downloads additional scripts from Pastebin. The final payload is an information stealer that gathers system metadata, IP addresses, and network configurations. Although PoC-based malware tactics are not new, researcher Sarah Pearl Camiling highlights the danger of exploiting trending vulnerabilities to deceive victims, emphasizing the need for caution when accessing security research tools.