Social Engineering Trap: The ‘Feel Free to Look for Backdoors’ Job Scam

The digital age has ushered in a terrifying evolution of the classic con, one where the marks are not the technologically illiterate, but the architects of the technology itself. Within the last 48 hours, a chilling case study has gripped the global developer community, centered on a social engineering trap so meticulously crafted that it bypassed the natural skepticism of a seasoned professional. Serbian developer Boris Vujičić, a name now synonymous with a new era of “vishing” (voice phishing) and supply-chain weaponization, fell victim to a group known as “HexagonalRodent.” The attack, which unfolded during a live-camera technical interview, serves as a masterclass in psychological warfare, resulting in the total exfiltration of 634 Chrome passwords and a MetaMask wallet in a staggering 56 seconds.

The Genesis of the Genusix Labs Social Engineering Trap

The assault began with the hallmark of modern high-value targeting: a “beautifully written” job offer. Vujičić was approached via LinkedIn by a recruiter representing Genusix Labs, a purported blockchain firm. In an industry where specialized talent is often headhunted with lucrative packages, the offer was enticing but not so extravagant as to trigger immediate red flags. The scammers spent days cultivating a professional rapport, utilizing polished corporate identities and industry-specific jargon that signaled legitimacy.

The sophistication of this social engineering trap lay in its performative transparency. During the technical phase of the hiring process, the threat actors engaged Vujičić in a live video call—a tactic designed to humanize the attackers and lower the victim’s cognitive defenses. By presenting “real” faces and engaging in collaborative coding discussions, HexagonalRodent exploited the “professional trust” heuristic that governs the tech industry’s hiring culture.

The Psychology of the “Backdoor” Dare

Perhaps the most brilliant—and most dangerous—aspect of the Genusix Labs encounter was the “Reverse Psychology” maneuver. During the interview, as Vujičić was invited to run a coding test to demonstrate his proficiency, the interviewer jokingly remarked, “Feel free to look for backdoors; we like candidates who are thorough.”

This statement was a psychological surgical strike. By explicitly inviting the developer to audit the code, the attackers projected an aura of extreme confidence and honesty. It weaponized the “Geek Guard”—the pride developers take in their ability to spot malicious patterns. When a developer is dared to find a flaw, their focus often narrows to the obvious, high-level code, leaving the deeper, more obscure layers of the environment unexamined. It is a classic misdirection, akin to a stage magician pointing at his right hand while the left prepares the trick.

Technical Breakdown: The Weaponization of `camdriver.sh`

The malware delivery was not a simple script or a suspicious executable. Instead, it was a sophisticated supply-chain attack hidden within the “dependency of a dependency.” The interviewers provided a GitHub repository or a compressed package for the coding challenge. While the top-level code appeared benign, the malicious payload was buried several layers deep within the node_modules or a similar package management directory.

• The File: `camdriver.sh`
• The Location: Tucked inside a temporary camera folder, ostensibly for the “video interview integration” component of the test.
• The Trigger: The script was designed to execute the moment the developer ran the standard `npm install` or a custom test-runner command.

What makes `camdriver.sh` particularly lethal is its multi-stage execution flow. Security researchers analyzing the HexagonalRodent campaign have noted that the script first performs a “living off the land” (LotL) check. It queries the host machine for its CPU architecture—specifically targeting macOS environments—and checks for the presence of developer tools that might indicate a sandbox or a security researcher’s environment.

The 56-Second Blitz

Once the social engineering trap was sprung and the script executed, the efficiency of the exfiltration was breathtaking. Within less than a minute, the following sequence occurred:

1. Credential Harvesting: The script targeted the `Login Data` SQLite database of Google Chrome. It utilized a known bypass to decrypt the local state and extract 634 stored passwords.
2. Crypto Asset Seizure: The malware performed a recursive search for browser extensions, specifically identifying the MetaMask vault. It exfiltrated the `.ldb` and `.log` files associated with the wallet, allowing the attackers to reconstruct the seed phrase or private keys offline.
3. Persistent Foothold: `camdriver.sh` fetched a secondary Go-based backdoor from a remote C2 (Command and Control) server. This backdoor established persistence across reboots by creating a hidden Launch Agent.

By the time Vujičić had finished his initial coding task, his entire digital identity had been duplicated and sent to a remote server. The interviewers ended the call shortly after, ostensibly to “review the results,” leaving the victim unaware of the breach until his crypto-wallet was drained hours later.

Who is HexagonalRodent?

Cybersecurity firms have linked HexagonalRodent (tracked as Expel-TA-0001) to the broader Lazarus hacking ecosystem, a state-sponsored threat group associated with the Democratic People’s Republic of Korea (DPRK). This group has shifted its focus from central bank heists to the direct targeting of individual developers in the Web3 and DeFi sectors.

HexagonalRodent’s methodology is characterized by high-touch social engineering. Unlike traditional phishing campaigns that cast a wide net, this group spends weeks targeting a single developer. They utilize a diverse range of C2 infrastructures, often masking their traffic by routing it through legitimate platforms such as Discord, Slack, and Microsoft Outlook. This makes their exfiltration traffic appear like standard corporate communications, bypassing most network-level anomaly detection.

The “Contagious Case” Precedent

The Genusix Labs incident is an evolution of what security researchers previously dubbed the “Contagious Case” campaign. Earlier versions of this attack relied on malicious PDF job descriptions or simple backdoored applications. However, the 2026 iteration demonstrates a much deeper understanding of the developer’s workflow. By hiding the malware in the “dependency of a dependency,” they exploit the inherent trust developers place in modern package managers like NPM, PyPI, and Cargo.

How to Defuse the Social Engineering Trap

The Vujičić case has sent a shockwave through the “geek guard.” It proves that technical knowledge is no longer a shield against psychological manipulation. To counter such a sophisticated social engineering trap, developers and firms must adopt a “Zero Trust” approach to the hiring process.

• Isolated Interview Environments: Never run code provided by a potential employer on your primary machine. Use a dedicated, air-gapped virtual machine or a disposable cloud-based IDE (like GitHub Codespaces) for all technical assessments.
• Audit the Audit: If a recruiter “dares” you to look for backdoors, treat it as an immediate Red Flag. True security audits require hours of focused labor, not a cursory glance during a live call.
• Verify the Firm: Genusix Labs was a ghost entity. Developers should use tools like WHOIS to check domain age and verify the LinkedIn profiles of every interviewer. A company with no historical footprint and high-end hiring needs is likely a front.
• Credential Hardening: Use hardware security keys (like YubiKeys) and move away from browser-stored passwords. If your browser doesn’t have the “keys to the kingdom,” an infostealer script like `camdriver.sh` loses 90% of its utility.

The Future of High-Stakes Vishing

As we move deeper into 2026, the social engineering trap will only become more convincing. The rise of AI-generated deepfakes means that the “live-camera interview” will soon no longer be a reliable proof of identity. We are entering an era where the most dangerous code is not written in Python or C++, but in the scripts of the human mind.

The story of Boris Vujičić is not just a cautionary tale for those in the blockchain space; it is a wake-up call for the entire global tech workforce. When the very tools we use to build the future—GitHub, NPM, video conferencing—are weaponized against us, the only defense is a radical shift in how we perceive professional trust. In the high-stakes game of digital espionage, the most expensive mistake a developer can make is believing they are too smart to be fooled.

HexagonalRodent has proved that for the modern hacker, the path of least resistance is not a firewall—it is the hubris of the target.