Recruitment Phishing Scam Imitates CrowdStrike Hiring Process

On January 7, 2025, CrowdStrike identified a phishing campaign exploiting its recruitment branding to deliver malware disguised as an "employee CRM application." The attack begins with a phishing email impersonating CrowdStrike recruitment, directing recipients to a malicious website. Victims are prompted to download and run a fake application, which serves as a downloader for the cryptominer XMRig.

How the Scam Works

The phishing email lures victims by claiming to be part of a recruitment process (Figure 1). It links to a malicious website offering download options for both Windows and macOS (Figure 2). However, regardless of the option selected, a Windows executable written in Rust is downloaded. This executable functions as a downloader for XMRig.

The downloaded executable performs several environment checks to evade detection and analysis before downloading additional payloads. These checks include:

• Detecting if a debugger is attached to the process using the IsDebuggerPresent Windows API
• Ensuring the system has a minimum number of active processes
• Verifying that the CPU has at least two cores
• Scanning the list of running processes for common malware analysis or virtualization software tools, avoiding execution in sandboxed or monitored environments

If these checks are passed, the executable displays a fake error message pop-up before continuing.

Once the basic environment checks are completed and the fake error message is displayed, the executable proceeds to download a text file from the URL:

This file contains configuration information for XMRig in the form of command-line arguments that can be appended to a call to the XMRig miner executable.

The executable then downloads a copy of XMRig from GitHub, from the URL:

The downloaded ZIP file is saved to the following path:

The executable extracts the contents of the ZIP file into the %TEMP%\System\ directory and copies the main XMRig executable to the path:

The malware then runs the XMRig miner, using the command-line arguments inside the downloaded configuration text file:

The executable establishes persistence via the following methods:

• Drops a Windows batch script to the Start Menu Startup directory, at this path:

This batch script executes a dropped copy of the downloaded miner, located at:

The contents of the batch script are the following:

• The batch script writes a new Windows Registry logon autostart key, located at:

This logon autostart entry executes a dropped copy of the original malicious downloader, located at:

Stay Alert to Stay Safe

This campaign highlights the importance of vigilance against phishing scams, particularly those targeting job seekers. Individuals in the recruitment process should verify the authenticity of CrowdStrike communications and avoid downloading unsolicited files. Organizations can reduce the risk of such attacks by educating employees on phishing tactics, monitoring for suspicious network traffic and employing endpoint protection solutions to detect and block malicious activity.

Outside of this campaign, we are aware of scams involving false offers of employment with CrowdStrike. Fraudulent interviews and job offers use fake websites, email addresses, group chats and text messages. We do not interview prospective candidates via instant message or group chat, nor do we require candidates to purchase products or services, or process payments on our behalf, as a condition of any employment offer. And, in reference to the campaign detailed above, we do not ask candidates to download software for interviews.

Those interested in applying for a role at CrowdStrike should navigate to our Careers page to learn about our job openings and begin our official application process. To verify the authenticity of CrowdStrike recruitment communications, please reach out to recruiting@crowdstrike.com.

Indicators of Compromise

The phishing site, cscrm-hiring[.]com, serves as the base for the attack, hosting the malicious executable and directing victims to download the fake CRM application. The malware establishes its presence by executing in the background, using minimal CPU resources to avoid detection. Key indicators include specific file paths, registry entries and network communication.

Network Indicators

Host Indicators

Learn More

For additional information on CrowdStrike’s in-depth research and real-time access to indicators of compromise (IOCs) like the ones featured in this blog, visit the CrowdStrike Counter Adversary Operations website.

Additional Resources

• Read about the adversaries tracked by CrowdStrike Counter Adversary Operations in the CrowdStrike 2024 Threat Hunting Report.
• Tune into the Adversary Universe podcast, where CrowdStrike experts discuss today's threat actors — who they are, what they’re after and how you can defend against them. 
• Know the adversaries that may be targeting your region or business sector — explore the CrowdStrike Adversary Universe®.
• Learn how CrowdStrike's threat intelligence and threat hunting solutions are transforming security operations to better protect your business.