[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0XyZ77zi4x8zHIsAAVWTWS7YtStMB6r86b0DXJunLxU":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"3664679b-3384-4934-af30-3cd1d468edc9","Fake Job Interview Apps Drop JobStealer Malware on Windows and macOS","fake-job-interview-apps-drop-jobstealer-malware-on-windows-and-macos-3280c2","Hackers are using Fake interview apps to spread JobStealer malware on macOS and Windows to steal crypto wallets, browser data, and passwords.","Hackers are distributing JobStealer malware through fake video conferencing apps disguised as legitimate job interview platforms. The malware targets both Windows and macOS users, stealing cryptocurrency wallets, browser credentials, passwords, and sensitive files. The campaign uses convincing fake websites impersonating services like Cisco Webex and distributes malware via DMG files and Terminal commands on macOS, with Windows variants following similar patterns.","JobStealer malware spreads via fake job interview apps on Windows and macOS targeting crypto wallets.","Security Malware Scams and FraudFake Job Interview Apps Drop JobStealer Malware on Windows and macOS Hackers are using Fake interview apps to spread JobStealer malware on macOS and Windows to steal crypto wallets, browser data, and passwords. byWaqasMay 14, 20263 minute read A fake job interview is now being used as bait to steal crypto wallets, browser credentials, and sensitive files from both Windows and macOS users. Researchers at Dr.Web say the malware campaign revolves around a trojan called JobStealer, which disguises itself as a video conferencing app during the hiring process. This malware campaign begins with scammers approaching victims with job offers and inviting them to attend an online interview through a custom meeting platform. The websites look clean, complete with branding, social media accounts, and Telegram channels designed to make the services appear active and trustworthy. However, instead of joining an interview, users end up downloading malware. Researchers identified fake conferencing apps using names such as MeetLab, Meetix, Juseo, and Carolla. Some sites even impersonate legitimate services like Cisco Webex to reduce suspicion. List of malicious sites used in this campaign includes the following: Meetlab.io Meetix.app Carolla.app Cloudproxy.link JobStealer Malware Targeting macOS On macOS systems, attackers use two installation methods. One method asks the user to copy and paste a Bash command into Terminal. The other delivers a DMG file that includes fake installation instructions. In both cases, the victim is tricked into launching the Trojan manually, which helps the malware bypass normal security warnings. JobStealer is delivered through malicious websites either as a DMG file or through a Bash command executed in Terminal, followed by a fake prompt requesting the user’s macOS password. (Image credit: Dr Web) That detail matters because the malware depends heavily on user interaction. The malicious script downloads a file detected as Mac.PWS.JobStealer.1, which is built to run on both Intel and Apple Silicon Macs. According to Dr.Web’s blog post, newer versions added stronger obfuscation and arm64 support after earlier variants failed to run properly on newer Mac hardware. Once active, the malware displays a fake error message asking the victim for their macOS account password. From there, it begins collecting a wide range of data from the infected system. The primary target appears to be cryptocurrency assets, with JobStealer searching Chromium-based browsers, including Chrome, Brave, Opera, Edge, Vivaldi, Arc, and CocCoc, for roughly 300 crypto wallet extensions. It also extracts browser cookies, saved passwords, autofill payment data, Telegram session files, notes stored in Apple Notes, and traces of hardware wallet software such as Ledger Live and Trezor Suite. After collecting the information, the malware compresses the files into a ZIP archive and uploads them to a command and control server controlled by the attackers. JobStealer Targets More Platforms Dr.Web also identified a Windows version of JobStealer with similar data theft capabilities. While the macOS variant uses Terminal commands and fake DMG installers, the Windows samples follow the same fake interview approach and focus on stealing browser data, crypto wallets, and user credentials. Worse, researchers also found download sections for Linux, iOS, and Android variants on some malicious sites, although those versions do not appear to be fully deployed yet. Users should avoid running Terminal commands provided during interviews, especially when shared through unofficial meeting platforms or unfamiliar websites. Downloading conferencing software directly from official vendor sites remains the safer option. Companies conducting legitimate interviews rarely require candidates to bypass operating system protections or manually execute scripts. Dr.Web mapped the malware activity to several MITRE ATT&CK techniques, including malicious copy and paste execution, credential theft from browsers and keychains, automated data collection, and exfiltration through web services. The campaign also shows how threat actors are adapting social engineering tactics to fit the remote work culture instead of depending solely on phishing emails or malicious attachments. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts Cyber AttackCybersecurityFraudInterviewJobStealermacOSMalwareScamTelegramWindows Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Android Malware $300 a Month Android Malware ‘Oblivion’ Uses Fake Updates to Hijack Phones Cybersecurity researchers at Certo reveal Oblivion, a new Android Trojan targeting major brands like Samsung and Xiaomi. It bypasses security to steal passwords and bank codes. byDeeba Ahmed Read More Security DoorDash hit by data breach after an employee falls for social engineering scam Food delivery giant DoorDash confirms a data breach on Oct 25, 2025, where an employee fell for a social engineering scam. User names, emails, and home addresses were stolen. byDeeba Ahmed Read More Security Cyber Attacks Malware Russian APT29 Using NSO Group-Style Exploits in Attacks, Google Google’s Threat Analysis Group (TAG) has exposed a new campaign by Russian state-backed APT29, also known as Cozy… byWaqas Security Russian Spear-Fishing Website Hosts Outlook Web App Phishing Page Originally this Russian website was designed for purely non-controversial spear-fishing activities, but now its log-in page has been… byWaqas","https:\u002F\u002Fhackread.com\u002Ffake-job-interview-jobstealer-malware-windows-macos\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Ffake-job-interview-jobstealer-malware-windows-macos-3.jpg","2026-05-14T17:25:10+00:00","2026-05-14T18:00:17.550381+00:00",8,[18,21,23,26,29],{"name":19,"type":20},"Dr.Web","vendor",{"name":22,"type":20},"Cisco",{"name":24,"type":25},"Crypto wallet extensions","technology",{"name":27,"type":28},"Chrome","product",{"name":30,"type":28},"Brave","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":31,"icon":33,"name":34,"slug":35},null,"Malware","malware",[37,42,44],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":43},{"id":31,"icon":33,"name":34,"slug":35},{"category":45},{"id":46,"icon":33,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50,54,56,58,61,64],{"type":51,"value":52,"context":53},"domain","meetlab.io","Fake job interview platform hosting JobStealer malware",{"type":51,"value":55,"context":53},"meetix.app",{"type":51,"value":57,"context":53},"carolla.app",{"type":51,"value":59,"context":60},"cloudproxy.link","Malicious domain associated with JobStealer campaign",{"type":35,"value":62,"context":63},"JobStealer","Trojan malware targeting crypto wallets and browser credentials on Windows and macOS",{"type":35,"value":65,"context":66},"Mac.PWS.JobStealer.1","macOS variant of JobStealer malware detected by Dr.Web"]