When a job offer looks too good to be true… it probably is. As the COVID-19 pandemic has led workers to rethink their careers and long-term goals, threat actors have exploited it as an opportunity to fulfill strategic objectives. Over the past two years, PwC's Global Threat Intelligence team has tracked nation state threat actors as they socially engineered employees at high-profile companies over email, social media and beyond, enticing them with promising job opportunities - only to infect them with malware and disappear.In this talk, we unmask how ongoing operations by advanced persistent threats based in different countries (North Korea and Iran) are using recruitment themes to compromise victims. We draw the profiles of three different threat actors that conduct such operations: North Korea-based Lazarus Group and Black Alicanto; an emerging Iran-based intrusion set which we call Yellow Dev 13; and a threat actor targeting former intelligence officers. Phishing is the oldest trick in the book, but this presentation holds the mirror up to threat actors' faces: the ways they use job themes for phishing, from fake career websites to recruiter personae, become the CV we read to learn their capabilities (their tools, techniques, and procedures); the targets they choose become their cover letters, revealing their intelligence requirements and strategic objectives, from counterintelligence to cryptocurrency theft.Ultimately, this talk will leave attendees with different insights depending on their role. Business executives will get an overview of the threat landscape and why their organization might be targeted. Defenders will gain actionable intelligence on how to recognize and defend from, activity by advanced persistent adversaries. Ethical hackers might encounter a few tricks to try - and mistakes to avoid! - in phishing exercises and adversary emulation. As for the general audience, they might never open a document or link from a recruiter again.