icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

FizzBuzz to FogDoor: Targeted Malware Campaign Exploits Job-Seeking Developers

Summary:
Cyble has uncovered a new social engineering campaign targeting developers, particularly Polish-speaking job-seekers, by disguising malware as a technical coding challenge on GitHub. The attack observed by Cyble leverages a GitHub repository offering a fake technical task titled "FizzBuzz," which contains a seemingly harmless ISO file and a malicious LNK shortcut file that installs a backdoor called "FogDoor." This backdoor, activated by a PowerShell script, is designed to maintain persistence on the targeted system, enable remote command execution, and exfiltrate sensitive information such as browser cookies, Wi-Fi credentials, and application details. According to Cyble, FogDoor operates stealthily by communicating through social media platforms and temporary webhook services, avoiding detection through conventional command-and-control channels. The malware further achieves persistence via scheduled tasks and deletes all traces after exfiltration to avoid detection.

Security Officer Comments:
While the exact distribution method is still unclear, it is likely that the threat actor behind the latest campaign is using job platforms like LinkedIn or regional developer forums to lure victims into downloading and executing the malicious ISO file hosted on GitHub. Researchers state that the threat actor is expanding its ongoing campaign. Originally focused on deceiving job-seeking developers with maliciously disguised coding challenges, the campaign has now broadened to include invoice-based lures, showing a shift in target demographics. Despite this shift, the attackers have maintained the same tactics, techniques, and procedures, suggesting that the overall structure of the campaign remains unchanged.

Suggested Corrections:
Recommendations from Cyble:
  • Always cross-check job offers and coding challenges from unverified sources, especially those shared via social media, job forums, or direct messages.
  • Refrain from downloading and running files from unknown repositories, particularly ISO images and script files. Legitimate hiring assessments do not require executing system-level scripts.
  • Implement policies to restrict the execution of PowerShell, JavaScript, and other scripting languages unless explicitly required. Use application whitelisting to prevent unauthorized execution.
  • Keep an eye on outbound connections to uncommon domains or file-sharing services (e.g., catbox.moe, webhookbin.net) that could indicate data exfiltration attempts.
  • Deploy advanced endpoint detection and response (EDR) solutions to identify suspicious behavior, such as unauthorized script execution, scheduled task creation, or browser data access.
  • Protect browser-stored credentials by enabling multi-factor authentication (MFA) and using password managers instead of storing sensitive information in browsers.
  • Educate employees and developers about the risks of social engineering attacks disguised as job opportunities or business-related communications.
  • Keep software, browsers, and security tools up to date to minimize the risk of exploitation through known vulnerabilities.
Link(s):
https://cyble.com/blog/fake-coding-challenges-steal-sensitive-data-via-fogdoor/

Contact Us for Threat Assistance
Back to Current Threats