When I was looking for a php/go/web3 remote job recently, I went through a thing that I still feel scared to think about.

The first half of the whole process looks almost no different from normal recruitment:

• HR Active Contact on Telegram
• The post highly matches my technical background
• Zoom Technical Interview
• Discuss team size, technology stack and salary range
• Follow-up arrangements for the second round of communication

until I installed a fymeet.exe After the meeting client, the computer began to have abnormal processes and the CPU usage soared, and I realized that I might have encountered a malware delivery for developers.

This article records the entire event, and hopes to give some reference to developers who are looking for remote work, especially Web3 related positions.

1. Received Web3 recruitment invitation on Telegram

It happened in May 2026.

At the time I was looking for opportunities for Go backend, system architecture, and remote jobs.

On May 20th, I received a contact on Telegram on Telegram.

The opening remarks of the other party are as follows:

Hello, you have very good experience in high concurrent system architecture and back-end development direction, which is very suitable for the post-end technical person or system architecture engineer position. Is it convenient for you to receive new opportunities at present?

To be honest, this opening is not abrupt.

Because I did:

• Published resumes in the remote community
• Filled in the information on multiple web3 recruitment platforms
• Continue to look for GO-related remote jobs

So I responded normally.

I asked:

• Company direction
• post responsibilities
• technology stack
• Whether to support remote
• Salary range

Then the other party began to introduce the project.

Items introduced by the other party

Project name:

otsea

The project is described as follows:

OTSEA is an innovative project focusing on Web3 and digital asset infrastructure, and is building a multi-chain trading platform and on-chain finance and data systems.

The technology stack includes:

• go
• java
• Solidity
• node.js
• React

Work mode:

• full distance

Team size:

• Dozens of people

Salary range:

• 5000~8000 USDT/month

frankly.

For a developer with many years of experience in Go, a high concurrency system, and a distributed architecture, this set of descriptions is quite matched.

And the other party can answer normally:

• team size
• technology stack
• Way of working
• Project stage

So there was not much doubt at the time.

As shown in Figure 1.

2. The first Zoom interview

May 21.

The other party took the initiative to arrange a Zoom interview.

The chat history is as follows:

Can we arrange a Zoom interview?

I reply:

Yes.

Then the two parties agreed:

May 25 at 16:30 pm.

Zoom interview

the day of the interview.

The other party sent the standard Zoom link.

The interviewer’s name is:

Iigor

The whole process looks very normal.

It even made me lower my vigilance further.

Because:

• Use Zoom
• There is a real interviewer
• There is real-time communication
• exists technical exchange

These are in line with the normal remote recruitment process.

But there is a problem.

Because the other party has a heavy Chinese accent.

I don’t fully understand a lot of content.

After the interview.

I took the initiative to propose:

I feel that listening to Igor’s Chinese is not too clear.

See if you can have an English interview?

Or text interviews are also possible.

Then the other party replied:

Igor is very satisfied with your communication with you.

We will discuss follow-up cooperation with the team.

I will contact you in about an hour.

until here.

I still think:

This is a Remote Web3 company that is recruiting normally.

as shown in Figure 2.

Third, things start to get weird

about an hour later.

The other party contacted me again.

The content of the message is as follows:

Can we make another phone call in 30 minutes?

I think you might be a good fit for us.

I asked:

English?

The other party replied:

Let’s chat in Chinese.

subsequently.

The other party sent a new meeting link:

https://fymeet.app/invite?code=xxxxxx

And with a sentence:

You can connect to our Work Hub and we are waiting for you.

To be honest.

This is the first time I’ve heard:

fymeet.app

this platform.

But since the web3 circle itself is often used:

• Discord
• slack
• telegram
• Various niche collaboration tools

So I didn’t care too much at the time.

Fourth, the most dangerous step: install the Fymeet client

After entering the web page.

The other party said:

We can’t hear your voice, please turn on the microphone.

Then ask:

Is the VPN open?

I reply:

opened.

Because the web version is still unable to communicate normally.

So I tried downloading the client.

It turns out that:

Client download failed.

I ask:

Are you using the client?

I can’t download it now.

The other party replied:

Please try this.

Then a file is sent via Telegram:

fyMeet.zip

Size approx.:

29.7 MB

as shown in Figure 3.

Look back now.

At this moment, a very obvious risk signal has actually appeared.

Because:

The normal software distribution process should be:

官方网站
↓
下载安装
↓
使用

instead of:

官网无法下载
↓
Telegram 私发压缩包
↓
要求立即安装

But at the time I didn’t realize it.

5. Exception after installation

After I decompress it, I get:

fyMeet.exe

Then run directly.

during installation.

I have found several abnormal phenomena:

exception one

The CMD black box is constantly popping up.

The black frame quickly disappeared after it appeared.

The whole process continued several times.

exception two

There is no standard installation interface.

No:

• Next step
• installation directory
• finish page

These common installation processes.

abnormal three

There are no desktop icons.

Exceptional four

The program cannot be found in the start menu either.

At that time my judgment was:

It may just be a relatively small and developed conference software of general quality.

Therefore, it did not continue to delve into.

Subsequently, the two sides changed to text communication.

The other party sent a detailed questionnaire.

6. This questionnaire is actually very professional

Questions sent by the other party include:

• Go development experience
• web3 development experience
• RPC service experience
• Smart Contract Experience
• node experience
• docker
• Kubernetes
• github
• English level
• Salary expectation

Even include:

MetaMask wallet address (for salary payment)

I filled in the full information at the time.

Look back now.

The professionalism of this questionnaire is very high.

If just to gain developer trust.

It does work.

Because from the surface:

This is a normal blockchain recruitment questionnaire.

7. Anomalies were found the next day

The real problem arises on the second day.

After booting.

I clearly feel that the computer has become a card.

The CPU fan starts running at high speed.

After opening the Task Manager.

I found:

CPU usage exceeds 90%.

The top-ranked processes include:

sysupdatewin.exe

Later it appeared:

sysupdwin.exe

multiple processes of the same name.

The most critical is:

After I manually end these processes.

The CPU usage immediately returned to normal.

At this moment I began to realize:

This is a high probability that it is not a normal software.

As shown in Figure 4.

8. Further investigation

After viewing the file location, it is found:

The corresponding path is at:

C:\Users\Thinkpad\AppData\Local\Temp\SysUpdateProccess\

There is one more detail here.

The directory name is actually:

SysUpdateProccess

instead of:

SysUpdateProcess

Even the spelling of the process is wrong.

This is obviously not the problem with a regular software.

Then I continued to check.

find:

• There is a startup item
• Process will start automatically
• defender normal scan found no abnormality

After that I also proceeded:

Windows Defender Offline Scanning

But still no clear results were found.

9. I began to doubt the entire recruitment process

At this time, look back and re-examine the whole process.

Many details began to become intriguing.

For example:

Why use Zoom for the first interview?

Why did it suddenly change to Fymeet the second time?

Why did the official website client download fail?

Why send a client via Telegram?

Why does the exception process appear immediately after installation?

These issues may be explained separately.

But after they are put together.

It seems very abnormal.

10. The last message

after finding the problem.

I sent a message to the other party:

This file has a Trojan horse, do you know?

Result:

read.

No reply.

At the same time.

I found that the other party’s Telegram nickname has changed.

From the nickname when initially connected to another name.

Of course.

This alone can’t explain anything.

But the development of the whole incident really made me more questions.

11. Final decision: reinstall the system

Due to:

• Unknown exe has been run
• Exception process occurred
• There is a boot
• Defender failed to identify explicitly

Eventually I decided:

Reinstall the system directly.

And plan to gradually migrate the development environment to Ubuntu.

Although reconfiguration is required:

• go
• php
• docker
• Kubernetes
• development tool

But compared to long-term concerns whether the system has a back door.

I think this is a more secure option.

12. Some suggestions for remote developers

The biggest experience of this experience is:

What is really dangerous is often not those scams that can be seen at a glance.

but those:

Looks very real recruitment process.

Early communication is more normal.

The easier it is later to relax your vigilance.

If you are also looking for a remote position.

Especially web3 related work.

It is recommended to pay attention to the following points:

Don’t run EXE privately sent by Telegram

Especially:

xxx.zip
↓
xxx.exe

this form.

Don’t let your guard down just because you used Zoom

A real interview does not mean that the subsequent process must be safe.

Be cautious about unfamiliar meeting software

In particular:

• Very little download
• Very few search results
• The official website cannot be downloaded normally

products.

Developers themselves are high value goals

Because the developer’s computer usually includes:

• github
• ssh key
• VPS
• api token
• Browser login status
• wallet plugin

Therefore, it is easier to be an attack target than ordinary users.

Epilogue

As of this writing.

I still can’t 1000% confirm:

• Whether Fymeet itself is malicious;
• Whether otsea really exists;
• Or a part of the third party to use.

But what is certain is:

After installing fymeet.exe, my computer has abnormal process, abnormal CPU usage, and persistent startup behavior.

So I decided to record the whole experience completely.

If someone searches in the future:

• fymeet
• fymeet.app
• otsea
• Web3 Recruitment Trojans
• Telegram Recruitment Interview

Hope this article can provide some reference.