A Vietnamese threat group known as BatShadow has been identified as responsible for a new campaign that uses social engineering tactics to deceive job seekers and digital marketing professionals. The attackers impersonate recruiters, distributing malicious files disguised as job descriptions and corporate documents, in order to infiltrate an undocumented malware called Vampire Bot.
Beware of recruiters!
According to a report from Aryaka Threat Research Labs, attackers use ZIP files that contain fake PDF documents along with executable files disguised as PDFs. When users open these files, a chain of infection of Go-based malware is triggered. In this case, the executable file disguised as a job description for a marketing position at Marriott triggers a PowerShell script that connects to an external server to download more malicious files, including remote access software.
A particularly insidious tactic of this group is that they guide victims to use Microsoft Edge to open a link to a supposed job description. This is done because Edge allows the infection process to continue, while other browsers like Chrome block certain scripts for security reasons.
The Vampire Bot malware is capable of profiling the infected host, stealing personal information, and taking screenshots at configurable intervals. Additionally, it maintains communication with a server controlled by the attackers to execute additional commands. The activity of BatShadow has been traced back to IP addresses previously linked to hackers in Vietnam.
This is not the first attempt at targeted attacks on digital marketing professionals; in October 2024, a similar campaign was reported that used Quasar RAT to target job seekers through phishing emails. The sophistication of BatShadow’s tactics highlights the need to remain vigilant against such threats in an increasingly digitalized work environment.