Oct 07, 2025Ravie LakshmananMalware / Menace Intelligence
A Vietnamese risk actor named BatShadow has been attributed to a brand new marketing campaign that leverages social engineering techniques to deceive job seekers and digital advertising and marketing professionals to ship a beforehand undocumented malware referred to as Vampire Bot.
“The attackers pose as recruiters, distributing malicious information disguised as job descriptions and company paperwork,” Aryaka Menace Analysis Labs researchers Aditya Ok Sood and Varadharajan Ok mentioned in a report shared with The Hacker Information. “When opened, these lures set off the an infection chain of a Go-based malware.”
The assault chains, per the cybersecurity firm, leverage ZIP archives containing decoy PDF paperwork together with malicious shortcut (LNK) or executable information which might be masked as PDF to trick customers into opening them. When launched, the LNK file runs an embedded PowerShell script that reaches out to an exterior server to obtain a lure doc, a PDF for a advertising and marketing job at Marriott.
The PowerShell script additionally downloads from the identical server a ZIP file that features information associated to XtraViewer, a distant desktop connection software program, and executes it probably with an goal to ascertain persistent entry to compromised hosts.
Victims who find yourself clicking on a hyperlink within the lure PDF to supposedly “preview” the job description are directed to a different touchdown web page that serves a faux error message stating the browser is unsupported and that “the web page solely helps downloads on Microsoft Edge.”
“When the person clicks the OK button, Chrome concurrently blocks the redirect,” Aryaka mentioned. “The web page then shows one other message instructing the person to repeat the URL and open it within the Edge browser to obtain the file.”
The instruction on the a part of the attacker to get the sufferer to make use of Edge versus, say, Google Chrome or different internet browsers is probably going right down to the truth that scripted pop-ups and redirects are probably blocked by default, whereas manually copying and pasting the URL on Edge permits the an infection chain to proceed, because it’s handled as a user-initiated motion.
Nevertheless, ought to the sufferer decide to open the web page in Edge, the URL is programmatically launched within the internet browser, solely to show a second error message: “The net PDF viewer is at the moment experiencing a problem. The file has been compressed and despatched to your machine.”
This subsequently triggers the auto-download of a ZIP archive containing the purported job description, together with a malicious executable (“Marriott_Marketing_Job_Description.pdf.exe”) that mimics a PDF by padding additional areas between “.pdf” and “.exe.”
The executable is a Golang malware dubbed Vampire Bot that may profile the contaminated host, steal a variety of data, seize screenshots at configurable intervals, and keep communication with an attacker-controlled server (“api3.samsungcareers[.]work”) to run instructions or fetch extra payloads.
BatShadow’s hyperlinks to Vietnam stem from the usage of an IP handle (103.124.95[.]161) that has been beforehand flagged as utilized by hackers with hyperlinks to the nation. Moreover, digital advertising and marketing professionals have been one of many essential targets of assaults perpetrated by numerous Vietnamese financially motivated teams, who’ve a observe document of deploying stealer malware to hijack Fb enterprise accounts.
In October 2024, Cyble additionally disclosed particulars of a complicated multi-stage assault marketing campaign orchestrated by a Vietnamese risk actor that focused job seekers and digital advertising and marketing professionals with Quasar RAT utilizing phishing emails containing booby-trapped job description information.
BatShadow is assessed to be energetic for a minimum of a yr, with prior campaigns utilizing related domains, equivalent to samsung-work.com, to propagate malware households together with Agent Tesla, Lumma Stealer, and Venom RAT.
“The BatShadow risk group continues to make use of subtle social engineering techniques to focus on job seekers and digital advertising and marketing professionals,” Aryaka mentioned. “By leveraging disguised paperwork and a multi-stage an infection chain, the group delivers a Go-based Vampire Bot able to system surveillance, knowledge exfiltration, and distant process execution.”
