Key Takeaways

• A GitHub repository masqueraded as a coding challenge to deceive developers, particularly targeting Polish-speaking job seekers
• Opening the provided ISO file triggers a PowerShell script that installs a backdoor named “FogDoor” and steals sensitive data.
• The backdoor retrieves commands from a social media profile and exfiltrates stolen data using temporary webhook services, making detection more difficult.
• The malware extracts browser cookies, saved credentials, installed applications, and file details for exfiltration.
• The malware achieves persistence through scheduled tasks and deletes traces after data exfiltration to avoid detection.
• The campaign is evolving, now using invoice-themed lures alongside recruitment scams to broaden its target scope.

Overview

Threat Actor (TA) is deploying a targeted social engineering campaign against Polish-speaking developers by disguising malware as a technical coding challenge on GitHub. Using a fake recruitment test named “FizzBuzz“, the TA tricks victims into downloading an ISO file containing a seemingly harmless JavaScript exercise and a malicious LNK shortcut.

Upon execution, the LNK file runs a PowerShell script, which installs a stealthy backdoor named “FogDoor.” This backdoor is designed for persistence, data theft, and remote command execution while avoiding detection. Instead of using traditional C&C servers, FogDoor communicates with a social media platform via a Dead Drop Resolver (DDR) technique, retrieving attack commands from a social media profile.

The malware employs geofencing to restrict execution to Polish victims, ensuring targeted impact. Once active, it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces. Persistence is maintained via a scheduled task, which reactivates the malware every two minutes. The malware also uses remote debugging to extract Chrome cookies, while Firefox credentials are harvested from profile directories. It then compresses stolen data, uploads it to a file-sharing service, and notifies the TA via a temporary webhook service for retrieval.

Further investigation revealed an expansion of the campaign beyond recruitment-based attacks. A newly discovered GitHub repository now distributes malicious invoice-themed LNK shortcuts (e.g., “faktura_2025.pdf.lnk”) using the same FogDoor backdoor and attack infrastructure.

Technical Analysis

On March 10, 2025, Cyble Research and Intelligence Labs (CRIL) identified a GitHub repository delivering an information stealer under the guise of a recruitment challenge. The repository, named “FizzBuzz,” was created under the username “Rekrutacja-JS” and hosted an ISO file titled “Zadanie rekrutacyjne.iso.“

The repository name references a well-known coding challenge commonly used in technical interviews, making it appear as a legitimate hiring assessment for developers. The username, written in Polish, translates to “Recruitment-JS,” indicating a focus on developers. Meanwhile, the ISO file name, “Zadanie rekrutacyjne,” translates to “recruitment task” or “hiring task,” reinforcing the illusion that it contains a genuine coding test.

This repository is part of a targeted campaign against Polish-speaking developers in Poland and the Polish diaspora in nearby nations. The use of Polish-language elements suggests the attack is tailored for job seekers in this geographic area. Although the exact distribution method remains unclear, the TA is likely using job platforms like LinkedIn or regional developer forums to lure victims into downloading and executing the malicious ISO file.

When the user opens the ISO file, two files are displayed: “FizzBuzz.js” and “README.lnk.” The “FizzBuzz.js” file contains a JavaScript script that mimics a typical FizzBuzz coding challenge commonly used in programming interviews. However, the script is intentionally flawed, likely to make it appear as a legitimate but buggy test. This could lead the target—typically a developer—to focus on debugging the JavaScript file, reinforcing the illusion of an authentic recruitment task. The figure below shows the contents of the JavaScript file.

Upon execution, the shortcut file “README.lnk” runs a PowerShell script hosted on catbox.moe, a free file hosting platform, using mstha.exe. The figure below shows the contents of the LNK file.

PowerShell Script

The PowerShell script (SHA-256: 33bc5fa9798219ba6d4e31f91ec23982596c409e0fd73e2c0c33c70538b7ec83) is designed to install a backdoor, extract Chrome cookies, steal Firefox browser data, retrieve Wi-Fi passwords, and collect a list of installed applications on the victim’s machine. Additionally, it opens a “README.txt” file as a decoy to mislead users into believing they are interacting with a harmless file.

Lure file

The PowerShell script first checks if “README.txt” exists in the user’s profile directory. If the file is present, it opens it using notepad.exe and exits without executing any malicious actions. However, if the file is missing, the script downloads it from “hxxps://files.catbox.moe/umh6no[.]txt“, saves it as “README.txt”, and opens it. This decoy document contains instructions for a code bug fix task, making it appear harmless while ensuring the PowerShell script executes only once on the victim’s machine to carry out malicious activities.

Persistence

Next, the PowerShell script downloads an executable file from “hxxps://raw.githubusercontent.com/coder9540/weather_widget/refs/heads/main/SkyWatchWeather[.]exe” and saves it as “SkyWatchWeather.exe” in the “C:\Users\Public\Downloads” folder. It then creates a scheduled task named “Weather Widget”, which executes the downloaded file using mshta.exe and VBScript. The task is set to run indefinitely every two minutes.

FogDoor

“SkyWatchWeather.exe” acts as a backdoor that does not rely on a traditional C&C server with a fixed IP or domain. Instead, it uses a social media platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its C&C infrastructure.  The executable first identifies the victim’s location using the “wttr.in” service, which retrieves weather data along with country information. It then extracts the country name and compares it to the hardcoded value “Poland.” If the detected country is “Poland,” the malware proceeds to execute its malicious activities. We have named this backdoor “FogDoor” for tracking purposes.

Following this verification, the malware attempts to establish a connection with “bark.lgbt/api” to retrieve further commands for execution. These commands are embedded within the profile information of a social media platform and are accessed via the URL: “hxxps://bark.lgbt/api/v1/accounts/lookup?acct=PawsitiveVibes” as shown below.

Once the JSON response is received, the malware extracts the value of the “note” key from the response data, which is expected to contain commands for execution. The “note” field functions as a Dead Drop Resolver (DDR)—a technique used to discreetly deliver commands to malware without relying on a traditional command-and-control (C&C) server. Instead of establishing direct communication with an attacker-controlled domain, the malware retrieves instructions embedded within a social media profile, making detection and takedown efforts more challenging. The figure below shows the TA’s profile on the social media platform, which is used to store and deliver commands to the malware.

Once the malware retrieves the command, it executes it using functions like “os_exec_Command” and “os_exec___Cmd__Output” The resulting output is then transmitted to the TA via a temporary webhook service at “hxxps://webhookbin.net/v1/bin/5673484c-cc92-4490-ada2-aae774c89bc2” enabling the control of the compromised system.

Stealing WiFi information

After creating the scheduled task, the PowerShell script sleeps for six minutes before executing a series of commands. It first runs “netsh wlan show profiles” to list all saved Wi-Fi profiles. Then, for each profile, it executes the “netsh wlan show profile name=”$name” key=clear” command to extract the SSID and password. The retrieved data is formatted and directly written to “wifi.txt” inside the “%userprofile%\data” folder, serving as a staging area before exfiltration.

Stealing Chrome browser data:

To steal sensitive Chrome data, the PowerShell script first checks if “Chrome.exe” is running. If a process is found, it forcibly terminates it using the command “Stop-Process -Name chrome -Force“. It then launches Chrome in debugging mode and restores the last session with the following command:

C:\Program Files\Google\Chrome\Application\chrome.exe –remote-debugging-port=9222 –restore-last-session –user-data-dir=”C:\Users\<username>\AppData\Local\Google\Chrome\User Data”

If Chrome was not previously running, the script launches “chrome.exe” with the -–headless argument, allowing it to run in the background without a visible interface. Once Chrome is running with remote debugging enabled, the script retrieves the debugging WebSocket URL and passes it to the SendReceiveWebSocketMessage function.

It then issues a request using the “Network.getAllCookies” method to extract network cookie data. The retrieved cookies are saved as “chrome.json” inside the “%userprofile%\data” folder, where they are staged for exfiltration.

Stealing Firefox browser data:

To steal sensitive Firefox browser data, the script recursively searches for cookies.sqlite, key4.db, logins.json, and places.sqlite files inside the “%appdata%\Roaming\Mozilla\Firefox\Profiles” folder. It then copies these files to the “data” folder for staging before exfiltration.

The script also collects information on installed applications and filenames from the victim’s Desktop, Documents, Downloads, Pictures, and Videos folders. These files are copied to the “%userprofile%\data” folder for staging, allowing the TA to analyze system contents and determine further exploitation opportunities.

Figure 15 – Staged data for exfiltration

Once all required information is collected, the PowerShell script compresses the “%userprofile%\data” folder into “data.zip” and uploads it to the file-sharing service “filesbin.net” using a custom URL.

The bin name in “hxxps://filebin.net/$binName/data.zip” is a unique GUID, retrieved from the “MachineGUID” registry value located at:
”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography”

After uploading the data, the script sends a notification to the TA via webhookbin.net, using the URL “hxxps://webhookbin.net/v1/bin/1cab2aa2-4984-4f1d-abb7-749611053a91”. This notification includes the Machine GUID, allowing the TA to identify the corresponding file upload URL and retrieve the victim’s exfiltrated data.

Finally, the exfiltrated data and staged folder are deleted to avoid the traces using the following commands

• Remove-Item $folderName -Recurse
• Remove-Item $zipPath

We also discovered another GitHub repository, “hxxps://github.com/coder9440/“, indicating that the TA is expanding its ongoing campaign. Initially targeting job-seeking developers, the campaign now includes an invoice-based attack while maintaining the same tactics, techniques, and procedures (TTPs). The repository hosts malicious LNK shortcuts (faktura_2025.pdf.lnk, faktura_586507.pdf.lnk) and a backdoor executable named “SkyWatchWeather.exe,” demonstrating the TA’s efforts to broaden its attack vectors.

Conclusion

This campaign demonstrates Threat Actor’s adaptability by leveraging social engineering tactics to deliver malware under the guise of recruitment challenges. By embedding malicious payloads within seemingly legitimate coding tasks, the attackers effectively deceive job-seeking developers. The use of social media platforms for command retrieval and staged exfiltration adds another layer of stealth, making detection more challenging.

The recent shift from developer-focused lures to invoice-based attacks indicates an expansion in the TA’s target scope while maintaining their established techniques. This evolution underscores their persistent efforts to refine and diversify attack strategies, emphasizing the dynamic nature of modern cyber threats.

Cyble’s innovative threat intelligence platforms, Cyble Vision and Cyble Hawk, leverage AI-driven analytics and proactive security strategies to help organizations identify, investigate, and counter these and other evolving cyber threats. By delivering real-time insights, these solutions enhance defenses against targeted attacks like the FizzBuzz recruitment scam, strengthening overall cybersecurity resilience.

Yara and Sigma rules [1],[2] to detect this operation can be downloaded from the linked GitHub repository.   

Recommendations

• Always cross-check job offers and coding challenges from unverified sources, especially those shared via social media, job forums, or direct messages.
• Refrain from downloading and running files from unknown repositories, particularly ISO images and script files. Legitimate hiring assessments do not require executing system-level scripts. 
• Implement policies to restrict the execution of PowerShell, JavaScript, and other scripting languages unless explicitly required. Use application whitelisting to prevent unauthorized execution.
• Keep an eye on outbound connections to uncommon domains or file-sharing services (e.g., catbox.moe, webhookbin.net) that could indicate data exfiltration attempts.
• Deploy advanced endpoint detection and response (EDR) solutions to identify suspicious behavior, such as unauthorized script execution, scheduled task creation, or browser data access.
• Protect browser-stored credentials by enabling multi-factor authentication (MFA) and using password managers instead of storing sensitive information in browsers.
• Educate employees and developers about the risks of social engineering attacks disguised as job opportunities or business-related communications.
• Keep software, browsers, and security tools up to date to minimize the risk of exploitation through known vulnerabilities.

MITRE ATT&CK® Techniques

Indicators Of Compromise (IOCs)