LinkedIn is now a cyber battlefield. Fake recruiters are spreading macOS malware like COVERTCATCH across Africa. Learn how the scam works, see real victim cases, and get defense steps from The Birdling, Africa’s top threat-intel team.
Precious ChizurumSeptember 5, 2025
Phishing & Social Engineering
LinkedIn has long been the digital gateway to professional opportunity. But in 2025, it’s also becoming a gateway for cybercriminals. Across Africa, a dangerous trend is accelerating, social engineering attacks disguised as job offers, recruiter outreach, and freelance opportunities. These attacks are no longer isolated incidents, they are widespread, weaponized, and increasingly successful.
Across Africa, attackers are exploiting trust, ambition, and the platform’s professional veneer to deliver malware, steal credentials, and infiltrate corporate networks. And they’re doing it with alarming sophistication.
Recent campaigns, some linked to state-sponsored actors have weaponized LinkedIn’s messaging and job-posting features to deliver COVERTCATCH, a new macOS-focused malware strain. Here’s how it works:
A fake recruiter sends a personalized message offering a high-paying remote job or freelance gig.
The attacker references the victim’s GitHub, past employers, or even mutual connections to appear legitimate.
The victim is asked to complete a “coding challenge” or download a PDF job description. The file contains malware like COVERTCATCH or RustBucket.
Once executed, the malware establishes persistence, steals credentials, and pivots to cloud environments or crypto wallets.
These attacks are part of broader campaigns such as Operation Dream Job and Contagious Interview, which have now expanded their targeting to include African developers, fintech engineers, and remote workers.
Africa’s booming digital economy, mobile-first infrastructure, and growing tech talent pool make it an attractive target. But most importantly, many African organizations remain underprepared.
Nigeria alone faced 6.5 million cyber threats in the first half of 2025, with 28.6% of users encountering malware via USB, email, or fake installers.
South Africa leads the continent in ransomware incidents, with 40% of all African ransomware attacks targeting the country.
Phishing remains the top attack vector, accounting for 34% of all cyberattacks across Africa.
What’s worse: AI-powered phishing and deepfake voice scams are now being used to impersonate CEOs and HR managers, making these attacks nearly indistinguishable from legitimate outreach.
In July 2025, a Kenyan fintech startup lost $120,000 after a senior engineer was targeted via LinkedIn. The attacker posed as a recruiter from a Dubai-based crypto exchange and offered a remote DevOps role with a $180,000 salary.
The engineer downloaded a “technical assessment” file that contained COVERTCATCH. Within hours, the attackers:
Gained access to the company’s AWS infrastructure
Stole private keys from a password manager
Transferred USDC and ETH from the company’s hot wallet
The attack was only discovered when the engineer’s LinkedIn account began sending the same job offer to his connections—a classic sign of account hijacking.
Disable USB auto-run and enforce application whitelisting.
Monitor for unusual login patterns, especially from new devices or geolocations.
Use EDR tools to detect macOS malware like COVERTCATCH and RustBucket.
Segment developer environments from production systems.
Verify recruiter identities before engaging—especially if they use free email domains or refuse video calls.
Never ask candidates to download .exe, .zip, or .dmg files as part of assessments.
Use sandboxed environments for technical tests.
Never download files from LinkedIn messages—even if the sender appears legitimate.
Enable 2FA on LinkedIn, GitHub, and email accounts.
Real recruiters don’t pressure you to install software within minutes.
Report suspicious accounts to LinkedIn and your internal security team.
We assess with high confidence that LinkedIn-based social engineering will double in volume across Africa by Q1 2026. Attackers are automating profile creation, scraping GitHub, and using generative AI to craft persuasive lures.
Key Predictions:
Fake job posts will target AI engineers, Web3 developers, and cloud architects.
Supply chain attacks will use compromised LinkedIn accounts to reach B2B SaaS clients.
Deepfake interviews will be used to bypass KYC/identity verification in remote hiring.
Today, trust is a vulnerability. As Africa’s digital workforce grows, so does the attack surface. LinkedIn is no longer just a platform for opportunity but also a battlefield.
Here at The Birdling, we’re tracking these threats in real time. Our Africa-focused threat intelligence helps organizations stay ahead of adversaries.
Get exclusive intelligence on African cyber trends, and expert security insights delivered directly to your inbox.
