Background

Recently, phishing campaigns targeting the developer community, especially freelancers, have significantly increased. A new tactic has been recorded: hackers impersonate clients, approach developers through social media or job platforms, and offer to "fix code errors for unusually high pay." Accompanying this is a password-protected ZIP file containing malicious JavaScript code.

This tactic is not new in the malware research community, but it is now clearly targeting technical groups, who tend to trust reasonable technical requests and can be easily deceived by files that "look real."

Exploitation Scenario

The attacker approaches the victim through personal channels (chat, email, social media), posing as a client needing a code fix, along with an unusually high payment: "Hey, I have a code that doesn't run, please fix it for me, I'll pay 15 million."

When the user downloads and extracts the files, they find an app.js file along with several auxiliary JS files like helper/css.js.

Figure 1. Suspicious auxiliary files appear after extraction

On the surface, the files have normal characteristics of web projects. However, upon analysis, it can be seen that:

The eval() function executes code from a suspicious .txt file.
The code uses obfuscation techniques: confusing function names, meaningless variable names, making it difficult to read the code directly.
There is no actual error fixing, data processing, or business logic – this is not a real job.

$Có thể là hình ảnh về văn bản cho biết 'packagejson app.js const const fs os cssjs require("fs"); require( ("fs"); require( require("os"); ("os"); function site _version( { const platform os.platform( switch (platform) ca { .readFile( public/css/types.txt txt return; } utf8' utf8', (er eval (data); } console.Log console.log("=") return case darwin' return m'; case linux' return default: return } Unknown' 27 site_version('$

Figure 2. The eval() function executes code from a suspicious .txt file

After analyzing the executed command sequence, the analyst discovers that the malware is calling 7za.exe to extract two other password-protected ZIP files, to retrieve app.exe and node.dll. These are the main payloads installed on the victim's machine.

Có thể là hình ảnh về bản thiết kế và văn bản cho biết '> Desktop data > > public js Name > 7zip_extra T Sort~ output_dir View app.exe … Date modified node.dll Type 4/30/2025 6:59 PM Size Application 4/30/2025 2:14 AM 5,414 KB Application exten... 637 KB'

Figure 3. Two malicious payloads extracted on the victim's machine

Technical Analysis

The attack relies on a sequence of actions written in JavaScript, starting with an entry point function. From there, the malware sequentially performs actions such as reading data (containing information about the files to be processed), then extracting the ZIP files embedded within the project file system.

A common technique used is source code obfuscation, making it difficult for the victim to immediately detect dangerous behavior. The extraction process is hidden behind confusing functions and variables, and the password for extraction is either encrypted or hardcoded in the source code – only revealed during execution.

Once extracted, app.exe performs actions such as:

Searching and extracting browser data: Chrome, Edge, Brave, Opera.
Sending data to a remote server in Russia.
Running entirely in a NodeJS environment, not requiring administrative rights, thus bypassing many warning systems or UAC.

This is a variant of infostealer, combining the "multi-stage payload delivery" technique – downloading and extracting malware layer by layer to avoid detection.

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this particularly dangerous attack campaign:

For developers and freelancers:
- Do not download and run ZIP files from strangers, especially if they contain .exe, .dll, .ps1, .bat, or scripts.
- Never run a password-protected ZIP file unless you know its origin and purpose. Analyze statically using Notepad++, VSCode, or tools like CyberChef.
- Use sandboxes like Any.Run or virtual machines to check behavior when in doubt.
- Use VirusTotal, MalwareBazaar to scan files or compare malware.
- Combine with anti-malware software like Windows Defender, Malwarebytes, or specialized solutions for developers like CrowdStrike Falcon Free.
For organizations or community groups:
- Actively promote awareness of "strange job" phishing campaigns in technical groups.
- Update endpoint security policies and alert users about technically-oriented social engineering.
- Monitor anomalies from endpoints through logs and alerts if there is behavior of extracting .zip files and running unknown .exe files.