The attack begins with a GitHub repository named “FizzBuzz” under the account “Rekrutacja-JS” (Polish for “Recruitment-JS”), hosting an ISO file labeled “Zadanie rekrutacyjne.iso” (“Recruitment Task”). Instead of traditional command-and-control (C&C) servers, it retrieves instructions from a social media profile on bark.lgbt via API calls and uses ephemeral webhook services like webhookbin.net for data exfiltration. The malware’s multi-stage infection chain bypasses conventional security measures by exploiting developers’ familiarity with coding exercises, weaponizing their trust in industry-standard interview practices like the FizzBuzz test. When executed, the shortcut triggers a PowerShell script that deploys FogDoor, establishing persistence, exfiltrating sensitive data, and enabling remote command execution. First identified in March 2025, this threat specifically targets Polish-speaking developers and job seekers through socially engineered GitHub repositories masquerading as technical recruitment assessments. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A sophisticated malware campaign targeting software developers has emerged, leveraging fake coding challenges to infiltrate systems with a stealthy backdoor dubbed FogDoor. Cyble Research and Intelligence Labs (CRIL) identified this campaign on March 10, 2025, noting its precision in geofencing attacks to Poland and nearby regions with Polish-speaking populations. Cyble analysts emphasize that this multi-layered approach—combining social engineering, geofencing, and ephemeral C&C channels—enables FogDoor to operate undetected across development environments. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. As FogDoor’s operators expand their tactics to include invoice-themed lures, organizations must prioritize security training and deploy behavioral analytics to counter such socially engineered threats. Upon mounting the ISO file, victims encounter FizzBuzz.js—a purposefully defective script designed to prompt debugging—and README.lnk, disguised as a documentation file. FogDoor then initiates geolocation checks using wttr.in’s weather API, terminating execution if the victim’s country isn’t Poland. Stolen data is compressed into data.zip and uploaded to filebin.net using a MachineGUID-derived URL, followed by a cleanup routine that deletes staging files and temporary webhook traces. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The malware’s payload, SkyWatchWeather.exe, mimics legitimate software while systematically harvesting browser cookies, Wi-Fi credentials, and system metadata. For verified targets, it accesses the TA’s social media profile via hxxps://bark.lgbt/api/v1/accounts/lookup?acct=Pawsitive Vibes to retrieve embedded commands. This script first deploys a decoy README.txt containing faux debugging instructions to avoid suspicion.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 25 Mar 2025 07:35:09 +0000