Image by Brett Jordan, from Unsplash
Fake Job Emails Used to Spread BeaverTail Malware
Reading time: 2 min
Last Updated: Apr 7, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
A new cyberattack is targeting job seekers by using fake recruitment emails to spread malware disguised as harmless developer files.
In a rush? Here are the quick facts:
- Hackers impersonated recruiters to spread malware via fake developer projects.
- Attackers used BitBucket links to trick victims into downloading files.
- Tropidoor backdoor can steal data, take screenshots, and run commands.
Cybersecurity experts at ASEC, who first identified this malware, explain that this incident represents an increasing tactic where attackers disguise themselves as either recruiters or members of developer communities.
The incident first emerged on November 29, 2024 when hackers used Dev.to’s identity to pose as the platform’s developers.
The attackers sent emails containing BitBucket code repository links which they asked users to review the project. The project files contained hidden malware which was disguised as ordinary project files.
The fake files included two major threats: a JavaScript-based malware called BeaverTail, disguised as a “tailwind.config.js” file, and a second component called car.dll, which acts as a downloader. When opened, these files work together to steal login details, browser data, and even cryptocurrency wallet information.
“BeaverTail is known to be distributed primarily in phishing attacks disguised as job offers,” researchers at ASEC explained. Previous versions of this attack were spotted on platforms like LinkedIn.
The malware poses a significant threat because it disguises its actual purpose by mimicking standard system operations. The malware employs PowerShell and rundll32 tools which are standard Windows utilities to evade detection by antivirus software.
After penetrating a system the malware retrieves and executes Tropidoor which functions as an advanced backdoor. The tool establishes encrypted connections with remote servers while executing more than 20 different commands that include file deletion and program code injection and screenshot capture.
“Tropidoor… collects basic system information and generates a random 0x20 byte key, which is encrypted with an RSA public key,” researchers said. This secure connection lets hackers control infected machines without being noticed.
Security teams urge everyone to remain very vigilant at this time. Be wary of unexpected recruitment emails especially those with links to code repositories or those asking you to download project files. Always check with the official company before opening any content.
Previous Story
Latest articles 
Leave a Comment
Cancel