Seqrite exposes sophisticated XELERA ransomware operation targeting Indian tech job seekers through FCI impersonation
Seqrite, the enterprise security arm of Quick Heal Technologies Limited, has revealed critical details about an advanced ransomware campaign targeting technology professionals in India. Dubbed “XELERA,” the operation leverages fake job offers impersonating the Food Corporation of India (FCI) to infiltrate victims’ systems, marking a concerning evolution in social engineering tactics.
Researchers at Seqrite Labs, India’s largest malware analysis facility, noted that the attack begins with spear-phishing emails containing a malicious Word document titled FCEI-job-notification.doc. Disguised as an official FCI recruitment notice, the document outlines fabricated job vacancies for technical roles. Embedded within it is a compressed PyInstaller executable (jobnotification2025.exe) that bypasses traditional security defenses. Upon execution, the malware deploys Python-compiled scripts (mainscript.pyc) to establish persistent access, utilising libraries like psutil and aiohttp for system monitoring and network communication.
A distinctive feature of XELERA is its integration with a Discord bot for command-and-control operations. By blending malicious traffic with legitimate Discord activity, attackers remotely execute commands such as privilege escalation, system lockdowns, and credential theft. The ransomware further disrupts systems by altering wallpapers, triggering fake Blue Screen of Death (BSOD) errors, and deploying the MEMZ.exe tool to corrupt the Master Boot Record (MBR), rendering devices inoperable.
In its final stage, XELERA encrypts critical files and displays a ransom note demanding payment in Litecoin cryptocurrency. Victims are directed to a specific wallet address, with threats of permanent data loss if demands are unmet. The campaign specifically exploits the urgency and trust of job seekers, many of whom are early-career professionals vulnerable to seemingly legitimate offers.
According to researchers at Seqrite Labs, this attack is a perfect example of the increasingly sophisticated techniques that cybercriminals are adopting while weaponising human psychology. Seqrite’s Advanced Persistent Threat (APT) Team has incorporated detection mechanisms for XELERA across its Endpoint Security and Threat Intelligence platforms.
The company advises organisations and individuals to adopt multi-layered security strategies, including regular software updates, endpoint protection, and employee training on phishing recognition. Also, job seekers remain vigilant, even when offers appear credible. Always verify communications through official channels and avoid opening unsolicited attachments.
