Job offers

Pixiv and DeviantArt artists hit by malware-pushing NFT job ads

Users of Pixiv, DeviantArt, and other creator-focused online platforms report receiving multiple messages from people claiming to be part of the “Cyberpunk Ape Executives” NFT project, with the primary purpose of infecting artists’ devices with malware information thieves.

“Cyberpunk Ape Executives” is a limited collection of non-fungible tokens (NFTs) following the closed club approach that has given similar companies astronomical fame and value.

As reported by Malwarebytes, threat actors are targeting artists with offers to work with the people behind the project and design a new set of characters to expand the collection with new NFTs, offering compensation of up to $350 per day.

The message sent to the artists is given below:

“Hi! We appreciate your artwork! Cyberpunk Ape Executives is inviting 2D Artists (Online/Freelance) to collaborate on creating an NFT project. As a 2D Artist, you will create amazing and lovable NFT characters. Your characters will become an important part of our NFT universe! Our expectations of the candidate: 1) Experience as a 2D artist 2) Experience and examples of character creation 3) Photoshop skills.”

“Main tasks: 1) Creation of characters in our NFT style 2) Interaction with the art team leader on definition of tasks, feedback. For more communication, see examples of our NFT works: [url removed] and send a response (CV + examples of your work) for this position. Approximate payout per day = $200 to $350. We make payments to Paypal, BTC, ETH, LTC.”

Cyberpunk Ape Malware

The messages sent to the artists contain a link which, if clicked, leads to a MEGA download page from where the victim can download a password-protected 4.1 MB RAR archive named “Cyberpunk Ape Examples ( pass 111).rar” which contains samples of Cyberpunk Ape Executives artwork.

This is supposed to help artists understand the style they should follow and create a false sense of legitimacy to the job offer.

Inside the archive, artists will find Cyberpunk Ape Executives NFT GIFs, and among them, an executable file designed to look like another GIF image, blending in easily with the rest of the collection.

Executable disguised as an NFT GIF image
Source: Computer beeping

This executable is a malware installer that will infect the device with an information-stealing Trojan with a good chance of bypassing AV detection based on current VirusTotal detections.

Total check virus returning low chance of detection
Total check virus returning low chance of detection
Source: Computer beeping

Information thieves typically target information stored on web browsers, such as account passwords, cryptocurrency wallets, credit cards, or even files on disk.

When threat actors get their hands on the credentials of a notable account with a high number of followers, they use it to promote the same scam to even more users.

This could be even more dangerous for artists who work with NFTs, as stealing victims’ wallets will allow threat actors to steal any cryptocurrency or NFTs stored there.

Many creators report that bot accounts kept sending these messages every few minutes, while other artists say they received the message in Japanese.

How to stay safe

Job postings, especially the more lucrative ones, can be so enticing that they inspire people to take immediate action, but you should never do that.

Instead, you should contact the project or company directly to confirm the email or check their Twitter accounts for more information.

This would show that the Cyberpunk Ape Executives project is warning users against this scam.

Before launching files downloaded from file sharing services like MEGA, always scan them with your antivirus program.

Even then, malicious files may still not generate an alert on your AV, as this campaign proves, so using MFA as a last line of defense on all your accounts would be a good idea.