Fake Job Interview on Wellfound Leads to Malware Analysis

I was targeted by a fake job interview on Wellfound. Instead of becoming a victim I reverse-engineered the malware. Here's the full analysis: 571 encrypted config values decrypted, C2 and Sentry DSN exposed, DPRK/Contagious Interview attribution. The attack involved a fake recruiter named "Felix" from "HyperHive" who used a multi-email social engineering chain to direct the target to a malicious website. The malware, an 8.5MB Rust-compiled Mach-O binary, was delivered via a curl | bash command and employed 570 custom encryption functions to hide its configuration. The analysis revealed the command-and-control (C2) domain cloudproxy.link, a Sentry DSN linked to the operator, and 276 targeted Chrome extensions, including crypto wallets and password managers. The malware steals browser data, credit cards, cookies, Apple Notes, Telegram sessions, and crypto wallet extensions, with tactics matching the DPRK-linked "Contagious Interview" campaign.