This report concerns a two-domain cluster linked to a job scam campaign targeting college students and recent graduates in the United States, operating through the legitimate career networking platform Handshake (joinhandshake.com). The campaign involves a secondary domain, kokalosmobile.org, which was registered on April 17, 2026, through GoDaddy.com, LLC — a notably recent registration date that contrasts sharply with joinhandshake.com's established registration of February 16, 2014, through Namecheap Inc. The pairing of a long-standing, reputable platform with a freshly created domain is consistent with schemes that exploit trusted infrastructure to lend credibility to fraudulent operations.
Community reports explicitly identify the threat actors as operating under the names "SOFTACT" and "KOKALOS MOBILE," with kokalosmobile.org serving as the associated web presence. The reported scheme is characterized as a bait-and-switch targeting junior software engineer job seekers on the Handshake platform. At least two community posts carrying this warning have been submitted from US-based users, each receiving one upvote, suggesting early-stage detection. A third report questions whether an unsolicited email contact through joinhandshake.com originated from a college or from an unknown third party, which is consistent with the threat actor using Handshake's employer-facing tools to initiate contact with student accounts without their knowledge or consent.
The relationship between kokalosmobile.org and joinhandshake.com is classified as reported_together, with a confidence score of 0.35, recorded twice across the dataset. The low-to-moderate confidence score reflects the nascent stage of this cluster's documentation rather than an absence of connection — the community reports directly name both entities in the same fraud context. The core methodology appears to involve fraudulent employer accounts or postings on Handshake presenting entry-level software engineering roles, with victims subsequently directed toward SOFTACT or KOKALOS MOBILE branding, potentially for credential harvesting, fraudulent hiring processes, or other downstream fraud.
Geographic targeting is concentrated in the United States, consistent with Handshake's primary user base of US college students and recent graduates. The platform's structure, which connects students with employers through institutional email verification, makes it a high-value target for actors seeking access to educated young adults actively seeking employment. The use of technology-sector job titles such as "Junior Software Engineer" is a deliberate targeting choice, as this demographic is likely to be less experienced in evaluating employer legitimacy.
This cluster represents a moderate and emerging threat. The recency of kokalosmobile.org's domain registration, the exploitation of a trusted academic career platform, and the deliberate targeting of vulnerable early-career job seekers indicate an active and intentional operation. The low complaint volume to date suggests the campaign may be in early deployment, with broader consumer impact possible as the infrastructure matures.