Fake LinkedIn Recruiter Malware Scam (Trifleck)

Last updated 2026-05-20. The full forensic investigation (four-entity shell cluster, smoking-gun WHOIS, IOCs, attribution detail, evidence pack) now lives at /investigations/trifleck-shell-cluster/. This post is the buyer-facing summary plus action steps.

The short answer. A senior frontend engineer in Bengaluru was targeted by a fake LinkedIn recruiter pretending to work at a US software firm called Trifleck. The “code review” task before the technical interview was a malware ZIP. Trifleck has no verifiable business registration in Florida or Delaware, the recruiter’s photo was stolen from a 14-year-old Gravatar profile, and the company is one of four shell fronts that share registrar, nameservers, and an Iceland-proxied WHOIS. Two of the four domains were registered three hours apart. This is the publicly documented Contagious Interview campaign attributed by Microsoft, Mandiant, Palo Alto Unit 42, and the FBI to DPRK-aligned threat actors. Action steps follow below. For the full forensic record, read the investigation.

The setup

The target, who has shared his account publicly on LinkedIn, is Anil N, a senior frontend engineer with fifteen years of experience including time at io.net and Vimeo. On May 6 2026, he received a LinkedIn connection request and direct message from a person named John Burleson, claiming to be COO at a company called Trifleck.

The opening message read:

“Hi, @Anil N. Glad to know you on LinkedIn. Are you able to work remotely? Hiring for a Frontend expert ($50-$100/h) at Trifleck. Trifleck is a B2B software development and digital growth partner helping businesses design, build, and scale high-impact digital products. Your background looks like a strong match. Would you be open to hearing a bit more about the role?”

The pay range was above market. The company description was clean and plausible. The pitch did not feel like a scam at first read.

Over the next 24 hours, the conversation moved through a familiar recruitment arc. Burleson asked a few screening questions, sent a project brief PDF, scheduled a call through a second persona’s Calendly, and shared a Google Drive ZIP labeled Blockstar.zip with explicit instructions to read the README first.

The README, when extracted in a safe environment, contained a single instruction: run git checkout dev to access the latest MVP. The malicious payload lived in that dev branch. VirusTotal flagged the archive under the Trojan-Downloader.Shell.Agent family. On npm install, a preinstall or postinstall hook would have executed a loader that called a remote command and control server and pulled follow-on stages.

He recognised the pattern in time and did not run the code. What follows is the action sequence: how to spot this pattern before you click, what to do if you have already run the code, and how to get verification help.

How to spot this pattern before you click

A few rules that would have caught this scam at multiple stages.

Verify the recruiter against the company. A real recruiter is on the company’s LinkedIn employee list. If they are not, ask why. “I don’t use LinkedIn often” is not an acceptable answer from a recruiter, and “check again” two minutes later is operator behavior, not real-person behavior.

Verify the company against business registries. A real company in the United States, United Kingdom, Singapore, or Australia has a business registration you can look up in 30 seconds through the relevant state or national registry. A real company in India has a CIN you can verify on the MCA portal. Polished websites cost a few hundred dollars and a weekend. Business registrations cost more and take longer.

Treat unsolicited recruitment that skips resume review as a strong signal. Real recruiters want your CV before they hand you assignments. If a recruiter is sending you the project codebase before reading your resume, the goal is not hiring.

Inspect archives without extracting locally. Use an online archive viewer or a disposable VM. Read package.json first. Look at every entry under scripts. If prepare, postinstall, or preinstall invoke something you did not expect, stop and read what they invoke before going further.

Treat any “review the codebase before the interview” instruction with suspicion. This is the single most consistent fingerprint of the Contagious Interview campaign across all documented variants. Legitimate companies do not require local execution of an unvetted codebase as a pre-interview screening step.

If you fit the targeting profile (current or former crypto firm employee, Web3 developer, holder of crypto), treat all unsolicited recruitment with extra skepticism for the next 24 months. This campaign cluster has been documented continuously since December 2022. There is no sign of it slowing down.

What to do if you have already run the code

If you have already cloned the repository and run npm install, treat this as a confirmed compromise and move fast.

1. Disconnect the machine from the network immediately. Pull the ethernet cable, turn off Wi-Fi. Stop further exfiltration.
2. Rotate every credential the machine had access to. Browser-saved passwords. Cloud CLI tokens (AWS, GCP, Azure). SSH keys. GitHub personal access tokens. npm publish tokens. API keys in .env files. Anything the shell environment had read access to should be considered compromised.
3. Move funds from a clean device if crypto wallet seed phrases were on the machine. Assume any wallet extension data is compromised. Use a different, clean computer to access wallet recovery, and move funds to a new wallet whose seed phrase was never on the affected device.
4. Reimage the machine. Do not clean it. A compromised endpoint is not trusted recovery infrastructure. Persistence mechanisms can survive AV cleanup. Full reimage is the only safe path forward.
5. Going forward, run npm install --ignore-scripts on any codebase from an unverified source. Lifecycle hooks will not fire automatically. You can rebuild specific packages manually with npm rebuild <package> once you have inspected them. This single habit defeats the entire family of preinstall/postinstall malware.
6. Notify your employer’s security team. If the affected machine had access to corporate resources, treat this as a corporate incident, not a personal one. Time to disclosure matters.

If you need help with forensic confirmation or with rotating credentials at scale, reach out via the verification line below. We can help you scope what was likely accessed and walk through the rotation sequence.

Not Sure If Your Recruiter Is Real?

Send us the recruiter’s name, their LinkedIn URL, the company they claim to represent, and any file or link they shared. We will tell you if it’s a real recruitment process or a scam.

• WhatsApp: +91 99644 43350
• Email: contact@cybersecify.com

No charges. No judgment.

What Happens When You Contact Us

• We do not report you to the police
• We do not ask for documents or payments
• We do not interrogate or judge
• We only verify whether it’s real or a scam

Need Help Beyond Verification?

If you have already lost money or credentials, or need help with FIR filing or reporting through the National Cybercrime Portal (cybercrime.gov.in), reach out via the same WhatsApp number. Evidence preservation and complaint assistance is a paid service.

What the investigation found (summary)

The full forensic record is at /investigations/trifleck-shell-cluster/. The headlines:

• Trifleck is one of four shell entities sharing infrastructure: Trifleck, Fleck Publisher, Virginia Book Publisher, and The Creative Unit. All four surfaced in each other’s LinkedIn “Pages people also viewed” sidebar. Two of them list the identical street address (8201 Greensboro Dr, McLean VA 22102). The Creative Unit’s LinkedIn page has been deleted entirely.
• The structural smoking gun: trifleck.com and fleckpublisher.com were registered three hours and ten minutes apart on the same day (2025-05-21), with the same registrar (Namecheap), behind the same anonymous Icelandic privacy proxy (Withheld for Privacy ehf), using the same budget DNS provider (Vilords). This is shared-operator evidence at a level that does not require LinkedIn correlation to interpret.
• No business registration in Florida or Delaware under Trifleck or Fleck Publisher. The trifleck.com Terms of Service ships with literal unfilled (email address) and (business address) template placeholders in Section 14.
• The recruiter’s photo was stolen from a 14-year-old Gravatar account (pastorwynn), unambiguously predating the trifleck.com domain by more than a decade.
• Workforce composition does not match the claimed business: 9 HR, 8 business development, 5 IT, 5 sales at a claimed B2B software development agency. More HR staff than engineers.
• Backdated tenures: four employees in four different countries with identical “5 years 1 month” tenure at a company whose domain is twelve months old.
• Both recruiter personas were deleted from LinkedIn after our Day 1 inquiry was sent.
• Blockstar Corporation in Chicago is a real and unrelated company (blockchain services firm founded 2020). The malicious project pretext name Blockstar.zip does not connect to them in any way.

The Trifleck / Blockstar instance had not appeared in any prior public report. Our investigation is the first public record of this specific cluster and the structural shared-infrastructure evidence tying the four entities to a single operator.

This is the publicly documented Contagious Interview campaign, attributed by Microsoft Threat Intelligence (Sapphire Sleet), Palo Alto Unit 42 (CL-STA-0240), Mandiant (UNC5342), Trend Micro (Void Dokkaebi / Famous Chollima), the FBI (TraderTraitor), and multiple other security vendors to DPRK-aligned threat actors. The campaign has been continuously active since December 2022 and shows no signs of slowing.

Who we are

Cybersecify is a Bengaluru-based cybersecurity consultancy. We help engineers, founders, and individuals verify suspicious recruitment outreach, suspicious calls, suspicious messages, and suspicious files before they turn into financial or operational damage.

We are not police. We are not a takedown service. We verify.

Related reading

• The full Trifleck shell cluster investigation
• How Attackers Register Fake Versions of Your Domain
• Dark Web Monitoring for Indian SaaS Startups in 2026
• Karnataka Safety Guide: Fake Police, Deepfake Scams
• Got a Suspicious Call From Police? We Verify It Free

Disclaimer

This writeup is for public awareness. Cybersecify is an independent cybersecurity consultancy and is not affiliated with or endorsed by any law enforcement or government agency. For the avoidance of doubt: Blockstar Corporation, a Chicago-based blockchain services firm founded in 2020 that focuses on real estate tokenization, is a real and unrelated company. The reused project pretext name Blockstar.zip does not connect to Blockstar Corporation in any way. The full disclaimer and audit trail live in the investigation.

For emergencies or legal reporting in India, contact official authorities or use the National Cybercrime Helpline 1930.