Seqrite, the enterprise security arm of Quick Heal Technologies, a global provider of cybersecurity solutions, is conducting critical research into the GrassCall malware campaign, a highly coordinated cybercriminal operation masquerading as legitimate job recruitment in the cryptocurrency sector. The ongoing investigation by researchers at Seqrite Labs, India’s largest malware analysis facility, has exposed the infrastructure and social engineering tactics of a Russian-speaking cybercrime syndicate known as “Crazy Evil”, which has stolen millions from victims through fake job interviews and AI-enhanced malware.
The GrassCall campaign capitalizes on the rapidly expanding cryptocurrency job market by creating fake companies such as “ChainSeeker.io” to post deceptive job listings on platforms like LinkedIn and Crypto Jobs List. Victims engaging with these listings are funneled into Telegram conversations with actors posing as corporate executives, who then deploy malware disguised as video conferencing software. The malicious payload, identified as the Rhadamanthys information stealer, enables attackers to drain cryptocurrency wallets, with individual losses exceeding $100,000 in high-profile cases.
The research identified “Crazy Evil” as a structured criminal enterprise operating since 2021, comprising six specialized subgroups targeting digital assets across industries. The group’s “kevland” unit orchestrates GrassCall operations, leveraging a network of social engineering experts called “traffers” to redirect victims to phishing pages. With over 3,000 followers on its public Telegram channel, the organization has generated an estimated $5 million through phishing scams, offering mentorship programs to train novice cybercriminals in deploying Fully Undetectable malware.
The campaign begins with the creation of fraudulent corporate personas featuring professional websites and social media profiles. Job seekers responding to ads are redirected to Telegram, where impersonated executives schedule interviews via Calendly and distribute malware under the guise of proprietary video conferencing tools, initially branded as GrassCall and recently rebranded to VibeCall. The malware adapts to victims’ operating systems, deploying Rhadamanthys on Windows devices and the Atomic macOS Stealer on Apple systems. Technical analysis revealed that the Windows variant disables Microsoft Defender via PowerShell commands, while the macOS version extracts credentials and browser data.
Notably, the latest Rhadamanthys variant integrates AI-powered optical character recognition to scan devices for images containing cryptocurrency seed phrases, enhancing its ability to bypass traditional security measures. This innovation, coupled with the group’s shift to the VibeCall brand, demonstrates their agility in evading detection while maintaining operational continuity. Subsequently, hundreds of victims across the U.S., EU, and Asia-Pacific regions have reported compromised devices and drained wallets since early 2025. The stolen data is monetized through Telegram channels operated by Crazy Evil, where affiliates receive payments proportional to the value of stolen assets. High-value targets have yielded payouts exceeding $500,000 per breach, incentivizing the group’s expanding network of traffers.
To counter such threats, Seqrite advises job seekers and enterprises to adopt multilayered security practices. Individuals should rigorously verify job postings by cross-referencing company details across official registries and direct communication channels. Suspicion is warranted toward recruiters insisting on non-standard software downloads for interviews, as legitimate firms typically use established platforms like Zoom or Microsoft Teams. Furthermore, enabling hardware-based multi-factor authentication for cryptocurrency wallets and exchanges can mitigate credential theft risks. Organizations are urged to deploy endpoint protection solutions with behavioral analytics, such as Seqrite’s suit of advanced security solutions powered by malware-hunting GoDeep.AI technology, which actively blocks GrassCall variants like Trojan. GrassCallCiR and associated malware payloads.
