Analysis updated 2026-05-18
Load the included YARA and Sigma rules into your own security monitoring tools.
Study how a real fake job interview malware campaign was built and delivered.
Import the STIX bundle or ATT&CK Navigator layer into a threat intelligence platform.
Reproduce the static analysis safely inside the provided isolated Docker lab.
| darksp33d/hyperhives-macos-infostealer-analysis | dabit3/agent-hooks-in-depth | yousseeff20/fixpy | |
|---|---|---|---|
| Stars | 29 | 29 | 29 |
| Language | Python | Python | Python |
| Setup difficulty | hard | moderate | easy |
| Complexity | 4/5 | 3/5 | 1/5 |
| Audience | developer | developer | vibe coder |
Figures from each repo's GitHub metadata at analysis time.
Reproducing the analysis needs Docker and the original malware sample, which is not included.
This repository is a security researcher's writeup of a real malware campaign, not the malware itself. It documents a Rust based infostealer that targeted Apple computers, delivered through a fake job interview scam on the hiring platform Wellfound, formerly known as AngelList. An attacker using the name Felix and posing as a company called HyperHive contacted job applicants, built trust over several emails, then asked them to check a diagnostics log in a fake product, which actually ran a hidden command that downloaded and executed the malware. The repository walks through how the researcher took the captured program apart. Using an isolated, network disabled Docker lab and emulation tools, they recovered all 571 encrypted configuration values hidden inside the roughly 8.5 megabyte program, including the command and control server addresses it phones home to, a debugging service identifier that helped tie the malware to its operators, and a list of 276 Chrome browser extensions it specifically looks for, mostly cryptocurrency wallets and password managers. Based on the techniques used, the researcher attributes the campaign to a group associated with North Korea's so called Contagious Interview operation, which is known for using fake job offers to trick developers into running malware. The findings are organized as several standard threat intelligence file formats: a plain text list of indicators of compromise, detection rules in the YARA and Sigma formats that defenders can load into their own security tools, a structured STIX 2.1 bundle, and a layer file for the MITRE ATT&CK Navigator tool that maps the malware's behavior to known attack techniques. The project is written mostly in Python, covers the researcher's full analysis methodology from initial discovery through decryption, and is released under the MIT license so that other defenders can freely reuse the detection rules and indicators. The full README is longer than what was shown.
A researcher's full writeup and detection rules for a Mac targeting infostealer delivered through a fake job interview scam.
Mainly Python. The stack also includes Python, Docker, YARA.
Use freely for any purpose, including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.