# Beware: Phishing Scam Targets Programmers with Fake Freelance Job Offers

# Background

Recently, phishing campaigns targeting the developer community, especially freelancers, have significantly increased. A new tactic has been recorded: hackers impersonate clients, approach developers through social media or job platforms, and offer to "fix code errors for unusually high pay." Accompanying this is a **password-protected ZIP file** containing malicious JavaScript code.

This tactic is not new in the malware research community, but it is now **clearly targeting technical groups**, who tend to trust reasonable technical requests and can be easily deceived by files that "look real."

# Exploitation Scenario

The attacker approaches the victim through personal channels (chat, email, social media), posing as a client needing a code fix, along with an unusually high payment: "Hey, I have a code that doesn't run, please fix it for me, I'll pay 15 million."

When the user downloads and extracts the files, they find an `app.js` file along with several auxiliary JS files like `helper/css.js`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747146460413/223b18fb-5f34-4449-bf66-08a396b2faaf.jpeg align="left")

*Figure 1. Suspicious auxiliary files appear after extraction*

On the surface, the files have normal characteristics of web projects. However, upon analysis, it can be seen that:

* The `eval()` function executes code from a suspicious `.txt` file.
    
* The code uses **obfuscation** techniques: confusing function names, meaningless variable names, making it difficult to read the code directly.
    
* There is no actual error fixing, data processing, or business logic – this is not a real job.
    

![Có thể là hình ảnh về văn bản cho biết 'packagejson app.js const const fs os cssjs require("fs"); require( ("fs"); require( require("os"); ("os"); function site _version( { const platform os.platform( switch (platform) ca { .readFile( public/css/types.txt txt return; } utf8' utf8', (er eval (data); } console.Log console.log("=") return case darwin' return m'; case linux' return default: return } Unknown' 27 site_version('](https://scontent.fhan14-4.fna.fbcdn.net/v/t39.30808-6/495245630_3291791384306537_3113445750886126812_n.jpg?_nc_cat=102&ccb=1-7&_nc_sid=aa7b47&_nc_ohc=T_f7KiINACoQ7kNvwG85WfM&_nc_oc=AdkfRYL0HDFCh6QUL9XOKrlXgr8ugdKu7mmDNzE_DCM7rbdAu2eSizh0VBVI-swI-X4&_nc_zt=23&_nc_ht=scontent.fhan14-4.fna&_nc_gid=sDLUaW_srmLiwzaMEG1yAQ&oh=00_AfLJtrTMOHUtUjklfpmCR5DhmzgVDsXRTt6HE-bXjzFvVQ&oe=68287B4B align="left")

*Figure 2. The eval() function executes code from a suspicious .txt file*

After analyzing the executed command sequence, the analyst discovers that the malware is calling `7za.exe` to **extract two other password-protected ZIP files**, to retrieve `app.exe` and `node.dll`. These are the **main payloads** installed on the victim's machine.

![Có thể là hình ảnh về bản thiết kế và văn bản cho biết '> Desktop data > > public js Name > 7zip_extra T Sort~ output_dir View app.exe … Date modified node.dll Type 4/30/2025 6:59 PM Size Application 4/30/2025 2:14 AM 5,414 KB Application exten... 637 KB'](https://scontent.fhan14-3.fna.fbcdn.net/v/t39.30808-6/495535919_3291795964306079_2145335364270677335_n.jpg?_nc_cat=110&ccb=1-7&_nc_sid=aa7b47&_nc_ohc=4cYoSjU8NQQQ7kNvwH7J_Wk&_nc_oc=AdlCbgoZupxF_WOMPJCOBR6jsuZ-2XPRo_WbLDjDbIkCf68bu7wMTwAM92YrfynZt-M&_nc_zt=23&_nc_ht=scontent.fhan14-3.fna&_nc_gid=42ZsM2bIg1dBg-Spzu7tUg&oh=00_AfJ5K6LeXIBTXSpX6aTZtuZEh22D4SotrHAB7MsFLn_mHw&oe=68289581 align="left")

*Figure 3. Two malicious payloads extracted on the victim's machine*

# Technical Analysis

The attack relies on a sequence of actions written in JavaScript, starting with an entry point function. From there, the malware sequentially performs actions such as reading data (containing information about the files to be processed), then **extracting the ZIP files embedded within the project file system**.

A common technique used is **source code obfuscation**, making it difficult for the victim to immediately detect dangerous behavior. The extraction process is **hidden behind confusing functions and variables**, and the password for extraction is either encrypted or hardcoded in the source code – only revealed during execution.

Once extracted, `app.exe` performs actions such as:

* Searching and extracting browser data: Chrome, Edge, Brave, Opera.
    
* Sending data to a remote server in Russia.
    
* Running entirely **in a NodeJS environment, not requiring administrative rights**, thus **bypassing many warning systems** or UAC.
    

This is a variant of **infostealer**, combining the "multi-stage payload delivery" technique – downloading and extracting malware layer by layer to avoid detection.

# Recommendations

**FPT Threat Intelligence** recommends organizations and individuals take several measures to prevent this **particularly dangerous** attack campaign:

* **For developers and freelancers:**
    
    * Do not download and run ZIP files from strangers, especially if they contain `.exe`, `.dll`, `.ps1`, `.bat`, or scripts.
        
    * Never run a password-protected ZIP file unless you know its origin and purpose. Analyze statically using Notepad++, VSCode, or tools like CyberChef.
        
    * Use sandboxes like Any.Run or virtual machines to check behavior when in doubt.
        
    * Use VirusTotal, MalwareBazaar to scan files or compare malware.
        
    * Combine with anti-malware software like Windows Defender, Malwarebytes, or specialized solutions for developers like CrowdStrike Falcon Free.
        
* **For organizations or community groups:**
    
    * Actively promote awareness of "strange job" phishing campaigns in technical groups.
        
    * Update endpoint security policies and alert users about technically-oriented social engineering.
        
    * Monitor anomalies from endpoints through logs and alerts if there is behavior of extracting `.zip` files and running unknown `.exe` files.
        

# References

* [Cảnh báo job lừa đảo - Dẫn dụ anh em dev tải và giải nén malware](https://www.facebook.com/groups/j2team.community/posts/2681141582217945/)
