Fake Job Interviews Tricks Users Into Installing Atomic Stealer

Atomic Stealer malware is posing as a fake real-time translator app for job interviews.

By Marco Rizal - Editor, Journalist 4 Min Read
Share this post?
Share this post?

Atomic Stealer malware is posing as a fake real-time translator app for job interviews.

  • Atomic Stealer Trojan is hidden in a fake Brave Talk translator app.
  • The phishing scam uses fake meeting invites to push the download.
  • Malware runs encoded scripts, stealing sensitive data from infected systems.

Our team has received numerous reports of phishing attempts involving the Atomic Stealer malware, which is being distributed via a fake translator app masquerading as a legitimate tool for business meetings.

The scam utilizes a well-developed phishing message sent to unsuspecting users via platforms such as job boards, tricking them into downloading malware in the guise of a last-minute business meeting via Brave Talk.

An individual described the process: “The invitation arrived just 20 minutes before the meeting. They claimed their business partner required a real-time translator.”

While Brave Talk, which is built on the Jitsi platform, includes features such as encrypted calls and screen sharing, we've discovered that it does not support real-time translation.

image 13

However, attackers take advantage of this gap, claiming that the meeting requires a special app to bridge the language barrier.

This is the exact method that led to the draining of cryptocurrency wallet belonging to Rui-Siang Lin, the mastermind behind the dark web marketplace Incognito.

According to one user, the URL is said to originate from Brave's referral domain, so it's possible that the attackers may have compromised a subdomain or an Amazon S3 bucket used by Brave to host files.

As for the content of the malicious package, the installer contained three base64-encoded variables that were merged and decoded into a separate script for execution.

Atomic Output
base64-decoded output from malicious file

The malware script looks for specific volumes on the user's system, creates a temporary directory, and stores a launcher file in the /tmp/ folder.

We identified the said file as Atomic Stealer, a program designed to infiltrate systems and collect sensitive information.

This is due to specific patterns and threat detections assigned to the file, as VirusTotal identified its popular threat label as trojan.amos/stealer, with AMOS standing for Atomic Stealer malware.

image 10
Malicious file VirusTotal results

While the Mac's security measures may prevent the malware from fully executing, the initial stages had already been completed, raising concerns about potential data exposure.

The user clarified: “I heard the error sound from my Mac after the script asked for my password, but I'm unsure if the malware ran fully or was stopped.”

As the name suggests, Atomic Stealer is a Trojan that targets macOS users and steals passwords, browser data, and other personal files.

Its sophisticated delivery method—using legitimate platforms such as Brave Talk and hosting the malicious file on an authentic Brave domain—makes it difficult for users to identify the scam.

A cybersecurity expert stated, “The fact that the malware was delivered from a Brave referral domain raises serious concerns.”

Attackers may have compromised a legitimate content delivery network (CDN) or subdomain where Brave distributes files.

This is not the first time we've seen a case like this; in the past, we've seen threat actors pose as business people, claiming to buy digital assets from Flippa and other marketplaces and tricking users into installing malware-infected programs for a variety of reasons.

Leave a comment