A malicious campaign has been discovered that targets job seekers applying for technical roles at the Food Corporations of India (FCI) by using fake job descriptions as bait. This scheme delivers a Python-based ransomware variant called Xelera, packed with PyInstaller, enabling it to run on the victim’s machine.
Researchers identified the malicious campaigns on January 18, 2025, through a document uploaded to VirusTotal. The document, named ‘FCEI-job-notification.doc,’ masquerades as an official FCI notification.
When opened, it triggers a malware execution process that leads to ransomware deployment. Analysis revealed that the document contains embedded malicious content hidden in OLE Streams. Upon extraction, researchers found a PyInstaller-based executable (jobnotification2025.exe) containing Python scripts designed to execute ransomware and other malicious activities.
The attack begins with a seemingly legitimate document detailing job vacancies, age, limits, educational qualifications, and the recruitment process. However, hidden within its OLE Streams is a PE64 binary that, once extracted, initiates the infection.
The second stage of the attack involves the execution of the malicious PyInstaller-based file, which includes compiled Python scripts such as ‘mainscript.pyc.’ These scripts, along with supporting libraries like psutil, aiohttp, and asyncio, indicate functionalities related to system monitoring and network communication.
Additional artefacts suggest that Xelera is part of a broader cyber campaign beyond ransomware deployment.
Once inside a system, the malware leverages Discord as a command-and-control (C2) channel. The Discord tool grants attackers control over the infected system, allowing them to execute commands that escalate privileges, steal credentials, exfiltrate files, and even disrupt user experience.
Researchers discovered that victims may experience system shutdowns, screen alterations, blocked mouse inputs, and continuous spam messages. The malware can also extract sensitive browser credentials from Chrome, Edge, and other browsers, compromising the victim’s data security.
The Xelera ransomware does not follow traditional encryption-based tactics but disrupts systems in various ways. It terminates Windows Explorer processes, preventing relaunch, and corrupts the Master Boot Record (MBR), rendering the system unbootable.
The malware displays ransom notes and spam notifications while using text-to-speech to play ransom speeches in an endless loop. Researchers have also discovered that the attackers demand ransom payments in Litecoin, with at least 16 transactions traced back to their cryptocurrency wallet.
This campaign is different as, unlike conventional ransomware that relies on encryption, this malware focuses on locking users out of their systems while extracting sensitive credentials. The campaign remains active, particularly targeting job seekers looking for FCI positions. Experts recommend that individuals remain cautious when downloading job-related documents and verify sources before engaging with such files. Organisations should also strengthen their security measures to detect and block malware-laden documents before they reach potential victims.
“XELERA Ransomware has been identified which is a Python-based malware and is currently a very new operation which involves data and credential stealing along with deploying a ransomware, which is currently not performing any sort of encryption involving cryptography,” researchers concluded. ” It is actively spreading and currently the above modus operandi is the primary one, which is used to drop the ransomware into various target machines.”
Recently, cybercriminals posed as recruiters on LinkedIn to deploy info stealers.
In the News: Russian state-sponsored BadPilot campaign targets global critical infrastructure
