← All posts

27 April 2026

Fake Job Offer, Real Malware: How a LinkedIn Scammer Used a 'Salary Document' to Hack Systems

Akash Yadav received a LinkedIn message from someone claiming to represent Adform, offering a remote marketing role. The form they sent contained a folder with a .app file — malware. At least one person who opened it had their system motherboard corrupted. This is exactly how it happened.

Victim

Akash Yadav

Reported Person

Benzamin Karunya

Akash Yadav received a LinkedIn message from "Benzamin Karunya" — a profile listing themselves as a Performance Marketing Analyst from Bengaluru, with over a thousand followers and a polished-looking work history.

The message was professional. Benzamin claimed to be assisting Adform on a project focused on digital growth and performance marketing. They asked about Akash's experience with Meta accounts and Google Ads. Said the Job Description and salary scale were attached to a form. Standard-sounding recruitment.

Nothing about it was standard.

How the scam unfolds

The conversation followed a carefully scripted pattern.

First, a friendly professional introduction. Then a Google Form link — containing a Google Doc styled to look like an official Adform recruitment application, complete with company branding, a detailed JD, and a salary framework.

Then came the push.

"Have you reviewed them yet?"

"Have you opened the salary details yet? Could you take a screenshot and send it to me so we can discuss the compensation?"

"According to our recruitment process, please open the document and send it to me so we can discuss."

The escalating pressure to open that document was not about recruitment. It was the entire goal. The form, the branded Google Doc, the salary framework — all props. The actual payload is what is inside the folder attached to or linked from the document: a file in *.app format*.

.app files are executable programs. On a Mac, opening one runs it immediately. There is no preview. No document opens. The file just executes — and it can do whatever it was designed to do: steal credentials, install a keylogger, give remote access to your machine, or corrupt the system entirely.

LinkedIn knew something was wrong

One of Benzamin Karunya's messages was automatically flagged by LinkedIn with a warning: "This message may contain unwanted or harmful content."

LinkedIn does not flag messages randomly. Its systems detected something in the content that matched known patterns of harmful activity. That warning appeared mid-conversation — before Akash had opened anything.

He stopped. "Why u want me to open the document? I don't want to open that."

That instinct was correct. He got out before the payload was executed.

At least one person was not so lucky

Ankita Dwivedi commented on Akash's public post:

"Yep please be aware my team member fell for it. Open it from our main system and later system mother board gone corrupted and we had no clue what happened until we investigated the whole situation."

Motherboard corruption. From what looked like a salary document. A team member opened a file sent by someone claiming to be a recruiter, on the company's main system, and the damage required a full investigation to understand. This is not a hypothetical risk. It happened.

The profile behind the scam

Benzamin Karunya's LinkedIn profile presents as a Performance Marketing Analyst — Google Ads, Meta Ads, Amazon Ads, GA4, GTM, E-commerce Growth. Bengaluru-based. Open to work. Over a thousand followers. The profile looks legitimate at a glance.

That is the point.

Real recruiters at real companies do not need you to open a downloadable folder to discuss compensation. They do not repeatedly push you to screenshot something from inside a downloaded file. They do not escalate from a first message to "please open the document right now" within a single short conversation.

The job offer is not the goal. Getting you to open the file is.

What to watch for

*The job-first, document-second play.* Scammers move fast — professional introduction, a plausible company name, a form or attachment — all leading to the ask to open and download something. Any recruiter who skips the interview process and goes straight to "you need to open this folder" is not recruiting.

*Pressure to open documents or download folders.* Legitimate JDs are sent as PDFs, links to company websites, or shared via proper ATS platforms. Not as downloadable folders with executable files inside.

*.app, .exe, .dmg, and .sh files disguised as salary or onboarding documents.* These are programs, not documents. If a recruiter sends you a folder and inside it is a file ending in .app, .exe, .dmg, or .sh — do not open it under any circumstances.

*LinkedIn's own content warnings.* If LinkedIn flags a message as potentially harmful, that is not a glitch. Disengage immediately and report the profile.

*Escalating urgency within the same conversation.* The pressure to review, screenshot, and confirm is time-pressure tactics — scammers know they have a limited window before the target gets suspicious. Legitimate recruiting does not operate like this.

What to do if you receive a message like this

  1. Do not open any folder or file sent by an unverified recruiter — especially anything ending in .app, .exe, .dmg, or .sh
  2. Screenshot the conversation before taking any other action
  3. Report the LinkedIn profile using the Report button on their profile
  4. Submit the profile URL to our database so others can check before responding
  5. If you have already opened the file — disconnect from the internet immediately, contact IT or a technician, change all passwords from a separate device, and assume your credentials may have been compromised

Akash made the right call. He questioned. He refused. He posted publicly. That post is part of the record now — and so is this one.

View Original Post on LinkedIn ↗

Seen a LinkedIn scammer?

Report their profile to our community database — it takes 30 seconds and helps protect thousands of others.

Report a Scammer →