← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Fake recruiter campaign targets crypto developers with RAT
A sophisticated fake recruitment campaign named 'graphalgo' has been active since May 2025, targeting JavaScript and Python developers in the cryptocurrency sector. Attackers approach victims through LinkedIn, Facebook, and Reddit with fabricated job opportunities from fake blockchain companies like Veltrix Capital. The campaign uses malicious dependencies hidden in npm and PyPI packages, delivered through coding test repositories on GitHub. Notable is the bigmathutils package that accumulated over 10,000 downloads before its malicious version was released. The operation deploys a remote access trojan (RAT) with token-protected C2 communication, file manipulation capabilities, and functionality to detect the Metamask browser extension, indicating focus on cryptocurrency theft. The modular campaign design allows threat actors to maintain backend infrastructure while easily replacing compromised frontend elements.
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
graphalgo
bigmathutils
graphnetworkx
graphlibcore
netstruct
terminalcolor256
graphkitx
graphchain
graphflux
graphorbit
graphnet
graphhub
terminal-kleur
graphrix
bignumx
bignumberx
bignumex
bigmathex
bigmathlib
bigmathix
graphlink
graphflowx
graphex
graphlibx
graphdict
graphnode
graphsync
bigpyx
bignum
Indicators of Compromise (60 / 319 total)