The fake CrowdStrike post delivers emails targeting developers who use cryptocurrency miners

CrowdStrike warns that a phishing campaign is impersonating a cybersecurity company in fake emails offering functionality to trick targets into infecting themselves using the Monero (XMRig) cryptocurrency miner.

The company discovered the malicious campaign on January 7, 2025, and based on the content of the phishing email, it likely did not start much earlier.

The attack begins with a phishing email sent to job seekers, supposedly from a CrowdStrike recruitment agent, thanking them for applying for a developer position at the company.

The email directs targets to download a supposed “employee CRM app” from a website designed to look like a legitimate Crowdstrike portal.

This is supposedly part of the company’s efforts to “simplify its onboarding process by rolling out a new applicant CRM app.”

Candidates who click on the embedded link are taken to a website (“cscrm-hiring[.]com”) which contains links to download said application for Windows or macOS.

The downloaded tool performs sandbox checks before fetching additional payloads to ensure it is not running in the analysis environment, such as checking the process number, number of CPU cores, and the presence of debuggers.

Once these checks are finished and the result is negative, i.e. the victim is eligible to be infected, the application generates a fake error message informing that the installation file may be corrupted.

In the background, the downloader retrieves a configuration text file containing the parameters required to run XMRig.

It then downloads a ZIP archive containing the miner from the GitHub repository and unpacks the files in ‘%TEMP%\System\’.

The miner is set to run in the background, consuming minimal processing power (max. 10%) to avoid detection.

A batch script is added in the Start menu’s startup directory for persistence between reboots, while the auto-log key is also written to the registry.

More details about the campaign and associated settlement indicators can be found at Collective strike report.

Job seekers should always make sure they are speaking to an actual recruiter by verifying that the email address belongs to the official company domain and by contacting that person from the official company page.

Beware of urgent or unusual requests, too-good-to-be-true offers, or invitations to download executable files to your computer, supposedly required for employment.

Employers rarely ask candidates to download third-party apps as part of the interview process, and they never ask for down payments.