Phishing campaign targets developers with fake CrowdStrike job offers
Victims are drawn in with the promise of an interview for a junior developer role at CrowdStrike


Developers are being targeted in a new phishing campaign using fake CrowdStrike job offers, the security company has warned.
The firm noted that the campaign, first identified on 7 January, uses CrowdStrike’s recruitment branding to load crypto-mining malware onto the victim’s systems.
The campaign begins with phishing emails purporting to be part of a recruitment process informing victims that they have reached the interview stage for a junior developer role at CrowdStrike.
Victims are redirected to a malicious website disguised as a legitimate CrowdStrike domain, where they are prompted to install what it describes as an employee CRM application to schedule the interview.
However, the ‘CRM app’ is actually a malicious Windows executable written in Rust that loads the XMRig crypto miner onto their system.
XMRig is an open source tool used for mining cryptocurrencies such as Monero, but the tool is frequently leveraged by cybercriminals to use the computing resources of compromised machines to mine cryptocurrency on their behalf.
The miner is configured to run in the background on the target’s machine, using “minimal CPU resources to avoid detection” CrowdStrike noted.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The firm said the campaign highlights the importance of staying vigilant against phishing attacks that target jobseekers, advising developers currently in the recruitment process to verify all communications with CrowdStrike and avoid downloading “unsolicited files”.
It added that CrowdStrike does not interview potential applicants via instant message or group chat, and never asks candidates to download software for interviews.
Recruitment space is a happy hunting ground for social engineers
Phishing campaigns targeting jobseekers have become a recurring issue in the modern threat landscape, with the promise of a potential job offer often leading victims to let their guard down.
In November 2024, an investigation by Clear Sky Security highlighted one social engineering campaign using fraudulent LinkedIn identities to trick job seekers looking for a role in the highly competitive aerospace industry.
Earlier that year, in February, a group tracked as Moonstone Sleet by Microsoft was observed targeting software developers with a fake opportunity to work on a video game DeTankWar, which was actually a custom malware loader.
Commenting on the recently uncovered fake CrowdStrike campaign, Chance Caldwell, senior director of the Phishing Defense Center at Cofense, noted the focus of the campaign targeting prospects who had already applied for a role at CrowdStrike.
RELATED WHITEPAPER
"While interview and job-related phishing emails are not uncommon, this is a very targeted campaign that goes beyond the vast majority of malicious campaigns we see with this theme,” he explained.
“The campaign uses URLs that were created to look like they might actually belong to CrowdStrike and the downloaded malware provides a pop-up that directs users to the real CrowdStrike support portal."
Caldwell added that the majority of phishing campaigns Cofense observes exhibit far less sophisticated mimicry, offering potential targets advice on how to spot a malicious social engineering campaign before it’s too late.
“Most of the use cases we see are lucky to have proper branding, much less the extended work done here to really portray themselves as CrowdStrike,” he said.
“It is very unlikely that a recruiter will direct someone to download an executable as part of the interview process. Any suspicious requests, such as this one, should be sufficiently verified before downloading anything and contact information should be verified through the legitimate company website."

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
By Emma Woollacott
-
Hackers are using Zoom’s remote control feature to infect devices with malware
News Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
By Ross Kelly
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
News State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
By Emma Woollacott
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
By Emma Woollacott
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
By Jane McCallion
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threats
News Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
By Emma Woollacott
-
Healthcare organizations need to shake up email security practices
News Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
By Emma Woollacott
-
Malware-free attacks surged in 2024 as attackers drop malicious software for legitimate tools
News Cyber attacks leveraging trusted services to conduct malicious activities are becoming the norm, according to new research, as malware takes a backseat among hackers.
By Solomon Klappholz