The Vietnamese threat actor named Batshadow is attributed to a new campaign that calls previously undocumented malware vampirebots, leveraging social engineering tactics to deceive job seekers and digital marketing experts.
“Attacks will pos as recruiters and distribute malicious files disguised as job descriptions and corporate documents,” Aryaka Threat Research Laborers researchers Aditya K Sood and Varadharajan K said in a report they share with Hacker News. “When opened, these lures cause infection strands of GO-based malware.”
The attack chain leverages a ZIP archive containing decoy PDF documents, according to cybersecurity companies, and opens users using malicious shortcuts (LNKs) or executables masked as PDFs. Upon booting, the LNK file runs an embedded PowerShell script that contacts an external server to download the Lure document, which is a PDF of the marketing job in Marriott.
PowerShell scripts can also be run from the same server to download zip files containing files related to Xtraviewer, the remote desktop connection software, and to establish permanent access to the compromised host.
The victim clicking on the Lure PDF link and possibly “preview” the browser is not supported and is directed towards another landing page that provides a fake error message saying “The page only supports Microsoft Edge downloads.”
“When a user clicks the OK button, Chrome blocks redirects at the same time,” says Aryaka. “The page will then display another message asking the user to copy the URL and open it in the Edge Browser and download the file.”
For example, in contrast to Google Chrome and other web browsers, attacker instructions to get victims to use Edge are likely to lie in the fact that scripted pop-ups and redirects are likely to be blocked by default, whereas manually copy and paste the URL can continue the infection chain to be treated as the effect the user used.
However, if the victim chooses to open the page in Edge, the URL will be launched programmatically in a web browser and only to display the second error message “Online PDF viewer is currently experiencing problems. The file has been compressed and sent to the device.”
This will trigger an automatic download of a zip archive containing job descriptions, including a malicious executable (“marriott_marketing_job_description.pdf.exe”).
An executable is a Golang malware bot that can profile infected hosts, steal a wide range of information, capture screenshots at configurable intervals, and maintain communication with attacker-controlled servers.
The link to Bat Shadow to Vietnam is attributed to the use of an IP address (103.124.95(.)161) that hackers with links to the country previously used and flagged. Additionally, digital marketing experts are one of the main targets of attacks carried out by various Vietnamese financially motivated groups with a track record of deploying steeler malware to hijack Facebook business accounts.
In October 2024, Cyble also revealed details of a sophisticated multi-stage attack campaign organized by Vietnamese threat actors who used Booby Rat to target job seekers and digital marketing experts.
Batshadow has been rated active for at least a year and uses similar domains such as Samsung-Work.com to propagate malware families including Agent Tesla, Lumma Stealer and Venom Rat.
“Bat Shadow threat groups continue to employ sophisticated social engineering tactics to target job seekers and digital marketing professionals,” Alyakah said. “By leveraging disguised documents and multi-stage infection chains, this group offers GO-based vampire bots that can monitor systems, data removal, and perform remote tasks.”
