A Vietnamese threat actor named BatShadow has been attributed to a new campaign that leverages social engineering tactics to deceive job seekers and digital marketing professionals to deliver a previously undocumented malware called Vampire Bot.
“The attackers pose as recruiters, distributing malicious files disguised as job descriptions and corporate documents,” Aryaka Threat Research Labs researchers Aditya K Sood and Varadharajan K said in a report shared with The Hacker News. “When opened, these lures trigger the infection chain of a Go-based malware.”
The attack chains, per the cybersecurity company, leverage ZIP archives containing decoy PDF documents along with malicious shortcut (LNK) or executable files that are masked as PDF to trick users into opening them. When launched, the LNK file runs an embedded PowerShell script that reaches out to an external server to download a lure document, a PDF for a marketing job at Marriott.
The PowerShell script also downloads from the same server a ZIP file that includes files related to XtraViewer, a remote desktop connection software, and executes it likely with an aim to establish persistent access to compromised hosts.
Victims who end up clicking on a link in the lure PDF to supposedly “preview” the job description are directed to another landing page that serves a fake error message stating the browser is unsupported and that “the page only supports downloads on Microsoft Edge.”
“When the user clicks the OK button, Chrome simultaneously blocks the redirect,” Aryaka said. “The page then displays another message instructing the user to copy the URL and open it in the Edge browser to download the file.”
The instruction on the part of the attacker to get the victim to use Edge as opposed to, say, Google Chrome or other web browsers is likely down to the fact that scripted pop-ups and redirects are likely blocked by default, whereas manually copying and pasting the URL on Edge allows the infection chain to continue, as it’s treated as a user-initiated action.
However, should the victim opt to open the page in Edge, the URL is programmatically launched in the web browser, only to display a second error message: “The online PDF viewer is currently experiencing an issue. The file has been compressed and sent to your device.”
This subsequently triggers the auto-download of a ZIP archive containing the purported job description, including a malicious executable (“Marriott_Marketing_Job_Description.pdf.exe”) that mimics a PDF by padding extra spaces between “.pdf” and “.exe.”
The executable is a Golang malware dubbed Vampire Bot that can profile the infected host, steal a wide range of information, capture screenshots at configurable intervals, and maintain communication with an attacker-controlled server (“api3.samsungcareers[.]work”) to run commands or fetch additional payloads.
BatShadow’s links to Vietnam stem from the use of an IP address (103.124.95[.]161) that has been previously flagged as used by hackers with links to the country. Furthermore, digital marketing professionals have been one of the main targets of attacks perpetrated by various Vietnamese financially motivated groups, who have a track record of deploying stealer malware to hijack Facebook business accounts.
In October 2024, Cyble also disclosed details of a sophisticated multi-stage attack campaign orchestrated by a Vietnamese threat actor that targeted job seekers and digital marketing professionals with Quasar RAT using phishing emails containing booby-trapped job description files.
BatShadow is assessed to be active for at least a year, with prior campaigns using similar domains, such as samsung-work[.]com, to propagate malware families including Agent Tesla, Lumma Stealer, and Venom RAT.
“The BatShadow threat group continues to employ sophisticated social engineering tactics to target job seekers and digital marketing professionals,” Aryaka said. “By leveraging disguised documents and a multi-stage infection chain, the group delivers a Go-based Vampire Bot capable of system surveillance, data exfiltration, and remote task execution.”
