https://sperixlabs.org/tags/recruitment-scams/Recent content in Recruitment Scams on SPERIXLABSHugoen-usSPERIXLABSTue, 19 May 2026 00:00:00 +0000https://sperixlabs.org/post/2026/05/fake-recruitment-remote-json-payloads-and-function-inliner-malware-analysis/Tue, 19 May 2026 00:00:00 +0000https://sperixlabs.org/post/2026/05/fake-recruitment-remote-json-payloads-and-function-inliner-malware-analysis/<p>Recruiters who ask you to clone a repository and run setup scripts are not always recruiters. One common pattern is remote configuration: staged JavaScript arrives as JSON from a paste-style host, heavily obfuscated, then executes in a local Node environment with full access to the machine.</p> <p>This walkthrough covers two related samples (<code>payload.json</code> at 69,459 bytes and <code>payload_2.json</code> at 20,461 bytes), where they were fetched from, how to pull them safely for study, and what static analysis suggests they do: function-inliner obfuscation, persistence, browser credential targeting, and HTTP callback traffic.</p>