Operation FalseOffer - Fake Job Offer Campaign Targeting European Applicants
Jan 21, 2026
Executive Summary
Recently, a post published by MalwareHunterTeam on X highlighted an ongoing malware campaign targeting European job applicants using fraudulent recruitment lures. The campaign leverages regionally localized fake job offer documents written in Italian, Polish, and Czech, indicating deliberate language-aware social engineering rather than indiscriminate spam.
The observed campaign distributes malicious ZIP archives masquerading as legitimate offer letter packages for a fictitious online gaming initiative. These archives contain decoy Word documents and a malicious Windows shortcut file disguised as a .docx document. When executed, the shortcut launches a PowerShell-based loader that initiates a multi-stage infection chain designed to establish persistent access on the victim system.
The initial loader extracts and validates embedded payloads, installs campaign artifacts under the ProgramData directory, and disables PowerShell’s Antimalware Scan Interface (AMSI) via reflection-based manipulation. It then reconstructs and executes a heavily obfuscated PowerShell payload that serves as the final implant.
The final-stage implant is a PowerShell-based persistent backdoor that communicates with attacker-controlled infrastructure over HTTPS. It establishes scheduled-task persistence through indirect execution of a malicious LNK file, generates host-specific identifiers, and periodically beacons to its command-and-control (C2) server. The implant supports operator-issued control commands, dynamic infrastructure updates, and arbitrary PowerShell command execution on compromised hosts. Notably, command execution is fire-and-forget in nature, as the implant does not return execution output to the C2 server, favoring stealth over interactive control.
The campaign demonstrates moderate technical sophistication, combining regionally tailored lures, layered obfuscation, AMSI bypass techniques, persistence mechanisms, and resilient C2 handling. While not indicative of advanced nation-state tradecraft, the operation reflects a structured and deliberate approach consistent with access-broker or financially motivated threat activity.
At the time of writing, multiple ZIP variants associated with this campaign have been observed, sharing consistent infrastructure patterns and hosting providers, while rotating C2 subdomains and encryption material. The campaign remains active, and its focus on job seekers suggests continued risk to individuals engaging with unsolicited recruitment communications across affected regions.
Infection Chain
Key Findings
The campaign targets European job applicants, using localized lure documents written in Italian, Polish, and Czech, indicating deliberate regional targeting rather than mass phishing.
Malicious content is delivered through ZIP archives containing decoy documents and a Windows shortcut file (.LNK) disguised with a
.docxextension to mislead users.The LNK file launches PowerShell with Execution Policy Bypass, allowing the embedded script to execute regardless of local PowerShell security restrictions.
A multi-stage PowerShell infection chain is employed, consisting of an initial loader followed by a persistent backdoor implant.
The stage-2 loader installs campaign artifacts under the ProgramData directory and performs AMSI bypass using reflection by setting the internal
AmsiInitFailedflag totrue.Payload integrity is validated using a hardcoded marker string embedded within the ZIP archive, preventing execution if the file has been modified or corrupted.
The final-stage implant establishes persistent access through a scheduled task that indirectly executes the malicious LNK file via
explorer.exe.Command-and-control communication occurs over HTTPS, with beacon parameters and commands obfuscated using XOR-based encoding.
The implant generates host-unique identifiers using a custom CRC-like hashing routine derived from system-specific values, enabling victim tracking without relying on explicit identifiers.
The malware supports dynamic C2 infrastructure updates, allowing operators to rotate or replace C2 endpoints without redeploying the implant.
Operator-issued commands are executed using Invoke-Expression, enabling arbitrary PowerShell execution on compromised systems.
Command execution is fire-and-forget, as the implant does not capture or return command output to the C2 server, prioritizing stealth over interactive control.
The campaign demonstrates moderate technical sophistication, combining localized social engineering, layered obfuscation, AMSI bypass, persistence mechanisms, and resilient C2 handling.
Observed artifacts and behavior are consistent with financially motivated or access-broker–style operations, rather than advanced nation-state activity.
Technical Analysis
Stage 0: Zip File
The Zip File contains:
A lure document pretending to be a job offer:
Offerta_M_Pranka_07-01-26.docx.lnkA decoy Word doc for Italy/Gaming:
Italia_Kaufland_Gaming.docxA decoy “confidentiality” doc:
Riservatezza_Kaufland_Gaming.docx
Decoy Doc Older Campaigns:-
The Italia_Kaufland_Gaming.docx decoy document presents itself as an official corporate collaboration and recruitment brochure for a supposed online gaming initiative called Kaufland Gaming Italy, claiming a 2025 launch under an ADM license and backing from Kaufland and the Schwarz Group. It describes the planned rollout of a full online gaming platform (casino, sports betting, poker, and mobile apps), emphasizes regulatory compliance, responsible gaming, and advanced technology, and portrays the project as a greenfield opportunity. The document highlights expansion plans for 2025–2027, lists numerous job openings across gaming operations, technology, compliance, marketing, data, and customer support, and promotes competitive salaries, bonuses, hybrid/remote work, and strong corporate benefits, framing the campaign as a credible, well-funded, and professional business initiative to attract targets.
The Riservatezza_Kaufland_Gaming.docx specifies a NDA type document to sign which states rules for protecting confidential information, personal data, and intellectual property within Kaufland Gaming Italia
Decoy Doc Latest Campaign:
The Pozvání ke spolupráci – EDEKA Česko 2025 decoy document presents itself as an official recruitment and expansion briefing for the German retail chain EDEKA, outlining a planned market entry and large-scale expansion across the Czech Republic between 2025 and 2027. The document claims the establishment of a nationwide network of 60 retail stores, supported by dedicated logistics infrastructure and partnerships with local Czech suppliers.
The content emphasizes EDEKA’s brand credibility, corporate values, sustainability initiatives, and long-term investment strategy. It provides detailed descriptions of business priorities such as modern store formats, self-checkout systems, efficient logistics, and environmentally responsible operations. The document further includes extensive recruitment messaging, listing a wide range of job roles across retail operations, logistics, procurement, finance, HR, IT, legal, marketing, and management functions.
To enhance legitimacy, the decoy contains realistic salary ranges denominated in Czech koruna, employment conditions, benefits, career development opportunities, and a structured FAQ section addressing common applicant concerns such as remote work options and hiring timelines. The document is framed as confidential, includes legal disclaimers, and mimics internal corporate recruitment material, making it highly convincing to Czech-speaking job seekers and reinforcing the campaign’s regionally tailored social-engineering approach.
Stage 1: Lnk File
The LNK file is disguised as a job offer letter by using a double extension format (.docx.lnk), causing the file to appear as a Word document to the victim while actually functioning as a Windows shortcut.
Using the LeCMD utility to inspect the shortcut reveals that it launches powershell.exe with the -ep b (Execution Policy Bypass) argument, followed by a heavily obfuscated PowerShell script. This allows the embedded script to execute regardless of local PowerShell execution policy restrictions.
Stage 2: OffertaLoader
This stage has been designated OffertaLoader, reflecting its role as a loader component and its thematic alignment with job offer–based social engineering. Its primary purpose is to prepare the environment and deploy the final payload.
The initial PowerShell script is heavily obfuscated; however, after deobfuscation and annotation, its behavior becomes clear and deterministic.
Initially, the loader enumerates the PowerShell profile path to derive the system drive, establishes an installation directory under ProgramData, and constructs a base user directory path.
Next, it searches for the campaign ZIP file across multiple locations, including the installation directory (ProgramData), the user’s Downloads folder, the parent directory, and the user base directory. If the ZIP file with the expected name is not found, execution terminates. If found, the full path is resolved and stored as zipPath.
The loader then searches for a hardcoded marker string (wXZcMBU) within the ZIP file contents. If the marker is not present, execution stops, serving as a basic integrity or tamper check.
If the installation directory does not already exist under ProgramData, the loader extracts the ZIP archive into that directory and copies the ZIP file itself for persistence and reuse.
The loader proceeds to bypass AMSI using reflection. It dynamically constructs member names to evade static detection, enumerates all types within the System.Management.Automation assembly, locates the internal Utils class, retrieves its non-public static fields, identifies the AmsiInitFailed field, and sets it to true, effectively disabling AMSI scanning for the current PowerShell session.
Following this, the loader extracts an embedded payload string from the ZIP file beginning at the wXZcMBU marker. It splits the payload, removes obfuscation characters by replacing # with empty strings, replaces placeholder values with absolute file paths, injects runtime configuration variables, embeds the decoy document path into the payload, and finally executes the reconstructed script via Invoke-Expression.
Manual string extraction from the ZIP file confirms that the embedded payload is a large, heavily obfuscated PowerShell script representing the next stage of the campaign.
Stage 3: OffertaBeacon
The final stage has been designated OffertaBeacon, as it functions as a PowerShell-based persistent backdoor that establishes encrypted HTTPS command-and-control communication, maintains scheduled-task persistence through LNK execution, supports dynamic infrastructure updates, and enables operator-driven PowerShell command execution.
The payload is initially heavily obfuscated; however, after deobfuscation, its functionality becomes transparent.
At startup, the implant defines core configuration values, including the decoy document path, the LNK file path within ProgramData, a boolean AllowExecution flag, an XOR encryption key, and other runtime constants.
It then defines a series of helper functions implementing XOR-based encryption and decryption, byte-wise XOR operations, hexadecimal-to-byte conversion, and byte-to-hexadecimal conversion routines.
A custom CRC-like hashing function is implemented and used to generate stable identifiers for the victim and host.
Another function is defined to hide the PowerShell console window using the ShowWindowAsync API with a window handle and a hide parameter, preventing visible execution artifacts.
The implant also defines a web request function that retrieves content over HTTPS using a custom User-Agent and explicitly enables modern TLS protocols. The function returns the downloaded response as a string.
At runtime, the implant XOR-decrypts two embedded strings using the XOR key, yielding the C2 base address and a victim-specific salt derived from the ZIP file name. Across observed campaign variants, the C2 address, XOR keys and encrypted strings vary.
The implant retrieves the system Product ID, generates a VictimID by hashing the victim salt, and generates a HostID by hashing the Product ID. It then checks for the existence of a file named after the HostID within the installation directory. If present, the file contents are read, XOR-decrypted, and used as an updated C2 base address, allowing operators to rotate infrastructure without modifying the implant itself.
Next, the implant determines the parent and grandparent process IDs and resolves the grandparent process name. If the AllowExecution flag is not set, or if the grandparent process is not svchost.exe or powershell.exe, the decoy document is launched. This logic prevents the decoy from opening during scheduled-task–based execution while still presenting it during initial user-triggered execution.
A system-wide mutex is then created using a dynamically generated name derived from the HostID, ensuring only one instance of the implant runs at a time.
Persistence is established via a scheduled task configured to execute explorer.exe with the malicious LNK file as an argument. The task is set to configured to trigger daily (commonly observed at 10:00 AM), causing Explorer to resolve and execute the shortcut.
The implant then enters its main beaconing loop. It initializes a timestamp of the last check-in, generates a random delay interval, and enters an infinite loop. During each iteration, it checks whether the elapsed time since the last beacon exceeds the delay. If so, it regenerates the delay, updates the timestamp, constructs a marker value by XOR-encrypting the HostID and appending a static suffix, adds random padding, and builds the full beacon URL by concatenating the C2 base, HostID, VictimID, marker, timestamp, and padding.
The implant attempts to retrieve a response from the C2 server using this URL. If a response is received, it is split using a period (.) delimiter. If the response format is valid, the second component is XOR-decrypted using the HostID to obtain the command.
If the decrypted command begins with the $ character, it is treated as a control instruction. A $KILL command causes the implant to unregister its scheduled task and recursively remove all files from the ProgramData installation directory. A $HOST command updates the C2 base address by XOR-encrypting the supplied value and storing it locally for future beaconing.
If the command does not begin with $, it is executed directly via Invoke-Expression. The implant does not capture or return command output to the C2 server, making execution fire-and-forget in nature.
After execution, the implant updates the last check-in timestamp, sleeps for a short randomized interval, and continues the beaconing loop indefinitely.
IOC
Nabidka_Pozice_Riha_F_06-01-26.zip
f61cf89ee05f9ca7a136ef41cb841f85030f1c6a8c912e3953e9c0428f717cb2
Offerta_F_Riha_06-01-26.docx.lnk
ad0398af16ad08727dcd7e3198833f360ecff030ca14186415a465b877fa2b64
Offerta_M_Pranka_07-01-26.docx.lnk
f122938c206ad7e1e841713f6714292946ab98055601df7ed5cb20b53dcfdc8a
Offerta_Pranka_M_07-01-26.zip
6e59a69c6d75874df9377cb7e095127d690fdcff5ab88e8f86d155893ab77482
Offerta_E_Woloszyn_07-01-26.docx.lnk
6a6a887cbc449d73fda889ce79fbff289f5bc106d405d5155128ec8c7c55c8b0
Offerta_Woloszyn_E_07-01-26.zip
07f9527fd1410f03f7be80417727f7c0be0993f1f1c6efa48f3ed5a5a9e40aac
C2 Server
https[:]//erpapp-901-53f1ea72f036.herokuapp.com/
Latest C2 Server Seen on a sample distributed on 06-01-26
https[:]//schedcrm-8bb161c830dc.herokuapp.com/
Italia_Kaufland_Gaming.docx
d69483b72a1b3d5c5c35e8ad17dacd80d4f27ec6cc391d8f591463e9c64529d9
Riservatezza_Kaufland_Gaming.docx
b3090b2b04be533ffddab25b298e8579791154a30cf1fdfe4aab69b4bf754c79
Cesko_Ochrana_Udaju.docx
5dac6ac66aa486a7180e89afeafe47708355a065a0c58b037ad1ecaa97b672af
Pozvani_2025_EDEKA.docx
ce591073ddf5b1e2a06a7d7cdec6af2eefb770d8db660a758e10b0a1e74c5056
Last updated