Career outgrowth: scammers massively attack Russians looking for work
In May and June 2025, fraudsters used six new schemes aimed at job seekers. This was reported by cybersecurity companies. Scammers send test tasks, the files of which contain viruses that steal victim's data from the computer, or invitations to fake online interviews — to participate, you need to click on the link. As a rule, they are distributed through Telegram channels dedicated to job search. About what other schemes are used by scammers and how to verify the authenticity of the vacancy, see the Izvestia article.
How Russians are being attacked
In the second quarter of 2025, the volume and variability of attacks on users who are looking for work increased significantly, cybersecurity companies told Izvestia. In May-June alone, at least six new fraudulent schemes appeared in this area, according to the Russian DLBI vulnerability and data leakage intelligence service.
In particular, in May, a scheme with test tasks began to be actively used, the files of which contained "styler malware" that stole authorization data and passwords from the victim's computer. The stolen information was used to hack mailboxes and Telegram accounts, and was also sold on the black market.
"Fake online job interviews appeared in June," the service said. — The victim was directed to a fake Google Meet page, where she entered authorization data and lost access to all resources where she was authorized, primarily Gmail. In parallel, three more new malware loading schemes have appeared.
One of them, aimed at IT specialists, required compiling a test task from the source. In another case, it was suggested to download a program to your device that supposedly checks your computer. In all cases, a virus was downloaded, stealing all possible data.
— A variation of the latest scheme was the verification of an Apple computer, the presence of which was one of the requirements of the vacancy, — the service specialists explained. — This required logging into the iCloud account provided by the fraudster. After that, it was remotely blocked, and for unblocking it was required to pay from $ 100-500.
In all fraudulent schemes, links to fake jobs were distributed through Telegram channels dedicated to job search. A little less often, such job offers were posted on popular recruiting websites. Their distinguishing feature was the immediate transfer of communications with the responding applicant to Telegram.
Similar attacks are carried out by the Lazer Werewolf hacker cluster, also known as Lazarus and Hidden Cobra, said the head of BI.ZONE Threat Intelligence Oleg Skulkin. The group specializes primarily in cyber espionage, without excluding the use of encryption software. The attackers target government agencies, as well as the military, financial, aerospace, medical, and IT industries.
"To gain initial access to target organizations, the group distributes phishing emails with malicious attachments or links," he said. — In his campaigns, Lazer Werewolf contacts victims via LinkedIn, Telegram and WhatsApp under the guise of a job offer. To gain the trust of users, the attackers offer to complete test tasks or prepare for a video interview.
To do this, the attackers ask you to download malware that is supposedly necessary for video conferencing. Then the infection process is started, thanks to which hackers gain access to the data. Since the beginning of 2025, scammers have posted 2,000 job ads on Telegram and shadow forums, the company said.
What schemes are used by scammers?
A fraudulent campaign was recently discovered when Russians were attacked via WhatsApp under the guise of employers, Oleg Skulkin said. The attackers offered users to earn money on marketplaces. To do this, it was necessary to view product cards, leave reviews on them and rate them. However, in order to start "working", it was necessary to replenish the balance. Under this pretext, the scammers convinced the victim to provide them with his bank details and phone number.
In the spring of 2025, another deception scheme was recorded, said Dmitry Galov, head of Kaspersky GReAT in Russia: a malicious program, the Mamont Trojan, was distributed under the guise of an Android application for remote work.
"The attackers created several websites that mimic the career pages of popular delivery services offering remote work, which, according to legend, had to be done in a separate application," he told Izvestia.
If a person agreed to the terms of work and filled out a questionnaire on a fake website, a "manager" had to contact them in the messenger and send them an application for work. However, under the guise of a legitimate program, Mamont was sent to the user.
At the end of 2024, the attackers tried to attack one of the Russian companies under the guise of employers, Oleg Skulkin added. Assuming that valuable information might be on the computer of one of the employees, the Squid Werewolf group sent the victim a phishing email with an offer to consider a vacancy in a real industrial organization. According to the attackers, the user had to open the attachment and launch the malware.
—Attackers are willing to use the topic of job search, because it is always relevant," the expert emphasized. — Attackers use this cover both in phishing campaigns aimed at users and in complex targeted attacks.
Applicants represent a rather vulnerable group because they are interested in completing a test assignment.
"They undoubtedly follow phishing links and launch malicious files,— said Solar AURA, Director of Development at the Solar Group Monitoring Center for External Digital Threats:1 Alexander Vurasko. — Basically, the attackers' goal is to access the accounts of the victims — stealing logins and passwords. These can be either personal accounts or corporate accounts. In the latter case, the attack is much more dangerous.
It is not uncommon for attackers to monitor the resume of an organization they plan to attack, and then send employees a job offer and a test assignment.
How to avoid cheating
Cuts in the creative sectors of the economy increase the supply of labor on the labor market, especially in the remote work segment, said DLBI founder Ashot Oganesyan. At the same time, applicants do not have a sufficient level of literacy in the field of information security, and they are often in a stressful state.
— An additional problem is created by the fact that many such applicants already work in several places and infection of their work computer with a styler leads to a leak of credentials in information resources of several companies at once, — he added.
Fraudsters influence the psychological state of the victim, catching him inattentive or finding themselves with him at the right moment "one-on-one," said Maxim Bolshakov, head of cybersecurity at Edgecenter.
— As a rule, this is a private dialogue, which is rarely discussed in the family immediately, usually after the incident, — he said. — But it is communication and an outside view of the problem that can withstand both old and new types of fraud.
In order not to fall for scammers when looking for a job and learn how to calculate fraud, it is important to know the main signs of fraudulent schemes and follow simple precautions. A vague job description, a small amount of specifics, the lack of a clear list of responsibilities or requirements, too high a salary without the requirements of experience or certain qualifications, the promise of a "dream job" with minimal effort should alert.
"In addition, there is a lack of official contacts: there is no corporate email, only a phone or messenger is listed, the site is one—page, with fake reviews and a complete lack of data on online activities," the expert added. — Quick approval: you are "hired" without a full-fledged interview or document verification. And if a company is looking for employees only through such channels, they are almost certainly scammers.
It is also important to make sure that the source of information about the vacancy is reliable, Ekaterina Nesterova, a private business recruiter, emphasized.
— If you found out about it through the Telegram channel, do not forget to check whether the vacancy is actually posted on the company's website or at least on recruiting sites - for example, on hh.ru where the employer's profile is filled out in detail and you clearly understand what the company does," she said. — The second step is to ask the recruiter or company representative to tell you about the vacancy: team composition, features of corporate communication. The more detailed the recruiter reveals the details of the position, the more likely it is that you are not a scammer.
Also, according to the expert, it is worth remembering that the main task of a recruiter when communicating with a candidate is to identify compliance with the basic requirements of the vacancy. Therefore, he will ask about your experience, motivation, and expectations from your new job.
— And only then does it make sense to solve the test task. All stages of communication with a recruiter should be consistent," she said. — I myself have come across suspicious requests to post vacancies on my behalf, but I immediately stopped such interactions.
According to Ashot Oganesyan, the number and variability of attacks on job seekers will grow and, possibly, by the end of the year will reach such a level that it will practically paralyze the search for remote work in Russia.
Переведено сервисом «Яндекс Переводчик»
