Your CV Could Be a Trap: New Malware Targets Job Applicants Right Now

Job seekers should be wary: malware operators are increasingly using fake job adverts to spread malicious software and steal personal data.

According to the latest Zscaler ThreatLabz 2025 Mobile, IoT & OT Threat Report, a new remote-access Trojan (RAT) called Xnotice has been identified, specifically targeting job applicants, notably those seeking roles in the oil and gas industry across the Middle East and North Africa (MENA).

The rising popularity of mobile and remote applications has opened a new attack vector: instead of traditional desktop phishing, attackers are now exploiting mobile demand, trusted app stores, and even recruitment itself to compromise devices and networks.

What the Report Found

• Android malware transactions have surged 67% year-over-year, underscoring the dramatic growth in mobile threats.
• ThreatLabz researchers identified 239 malicious apps on the Google Play Store that have been downloaded a collective 42 million times, many disguised as 'Tools' or productivity apps. This tactic preys on users' trust.
• In addition to the novel Xnotice RAT, the report also highlights older, more common malware, such as spyware and mobile banking trojans, used for credential theft, bank fraud, or unauthorised remote access.
• On the IoT/OT front, the attack surface is equally worrying: critical sectors such as Energy, Manufacturing, Transportation and Healthcare are seeing dramatic spikes. The Energy sector alone recorded a 387% increase in attacks over the last year, and IoT botnet families such as Mirai, Mozi, and Gafgyt now account for around 75% of all malicious IoT payloads.

Why Job Applicants Are Prime Targets

The shift reflects a broader trend: job seekers are under pressure, especially in sectors recently hit by layoffs. Cybercriminals exploit this urgency by posting seemingly legitimate job adverts, often repurposing content from genuine listings, and masking malware behind professional-looking applications or documents.

Once a candidate expresses interest, perhaps via a 'job description' or CV template, attackers may send a file that masquerades as a company document. When opened, this file infects the system, enabling malware to hijack devices or harvest personal data.

In the case of Xnotice, fraudulent recruitment tactics are paired with Trojan functionality, combining social engineering and direct system compromise. Given the sensitive nature of information often shared during recruitment (identity documents, credentials, addresses), this can lead to identity theft or deeper network infiltration.

The Broader Context: Why It Matters

This threat emerges at a time when mobile devices, IoT, and hybrid working models are deeply integrated into both personal and professional lives. The lines between personal and enterprise devices have blurred, making mobile malware not just a consumer cybersecurity issue but an enterprise risk.

Moreover, as IoT and Operational Technology (OT) systems become increasingly connected, especially in critical infrastructure sectors such as energy, transportation, and healthcare, the potential for widespread disruption grows. Malware that begins on a single phone or IoT device could propagate across networks, with profound implications.

What Job Applicants Should Do

• Treat unsolicited job adverts with caution, especially those that ask you to download documents before any formal interview or screening.
• Avoid downloading attachments or files from unverified recruiters or unknown domains, even if they appear professional or similar to real companies.
• Use security solutions where possible — keep mobile OS updated, enable multi-factor authentication, and consider using antivirus or threat-detection software.
• Verify the legitimacy of job offers by checking recruiter profiles, contacting companies directly via official channels, and not relying solely on emailed documents or messages.

The findings of the 2025 Zscaler ThreatLabz report serve as a stark reminder: in today's digital age, even your CV, a seemingly innocent tool for job hunting, can be weaponised.

As cybercriminals innovate, the act of applying for a job may no longer be risk-free. Whether a smartphone, an IoT device, or industrial infrastructure, every connected endpoint represents a potential entry point.

Job seekers—and organisations alike—must remain vigilant. The simplest precautions could make the difference between finding your next role and falling victim to a trap.