- A Vietnamese Hacking group named BatShadow has launched a campaign using fake job offers to spread new Malware called Vampire Bot.
- The attackers send malicious files disguised as job descriptions and company documents to trick job seekers and digital marketing workers.
- The malware infection begins when victims open files in ZIP archives that contain harmful shortcut or executable files masked as PDFs.
- Victims who follow the infection chain are directed to download a ZIP archive containing a malware-infected file designed to appear as a legitimate PDF.
- Vampire Bot malware gathers information, takes screenshots, and connects to attacker servers to run commands or download more malware.
A Vietnamese threat group known as BatShadow is behind a cyberattack campaign that targets job seekers and digital marketing professionals by impersonating recruiters. This campaign distributes malicious documents that lead to the installation of a new malware called Vampire Bot. The attacks were reported on October 7, 2025.
Aryaka Threat Research Labs investigators Aditya K Sood and Varadharajan K described the attack in a report shared with The Hacker News. They explained that the attackers send ZIP files containing fake PDF documents along with malicious shortcut (.LNK) or executable files designed to look like PDFs. Opening these triggers a PowerShell script that downloads additional files. Among these is a lure PDF advertising a marketing job at Marriott and a ZIP containing XtraViewer, a remote desktop software likely used to maintain ongoing access.
Targets who click links in the lure PDF are led to a fake webpage that instructs them to open the link in Microsoft Edge because other browsers block the download automatically. When the link is opened in Edge, it triggers the download of a ZIP archive containing a malware executable named “Marriott_Marketing_Job_Description.pdf.exe.” This file disguises itself by adding spaces between “.pdf” and “.exe” to appear as a PDF.
The executable is Vampire Bot, programmed in the Go language. It collects information about the infected device, takes screenshots at set times, and communicates with a server controlled by the attackers (“api3.samsungcareers[.]work”) to receive commands or additional malicious payloads.
The group’s connection to Vietnam is supported by the use of an IP address previously linked to Vietnamese Hackers. Digital marketing professionals have been frequent targets of Vietnamese financially motivated groups, which have used malware designed to steal information and take over Facebook business accounts in earlier attacks.
In October 2024, Cybersecurity firm Cyble detailed a similar campaign by a Vietnamese group using Quasar RAT to target job seekers and marketing workers with phishing emails containing dangerous job descriptions. BatShadow appears to have been active for over a year, with past operations involving similar domain names like samsung-work.com to spread malware such as Agent Tesla, Lumma Stealer, and Venom RAT.
Aryaka summarized: “The BatShadow threat group continues to employ sophisticated social engineering tactics to target job seekers and digital marketing professionals. By leveraging disguised documents and a multi-stage infection chain, the group delivers a Go-based Vampire Bot capable of system surveillance, data exfiltration, and remote task execution.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- DefiLlama Delists Aster as Suspicious Perp Volume Raises Doubts
- Nvidia CEO Reaffirms H-1B Sponsorship Amid New Visa Fee Changes
- 2025 Nobel Prize Honors Quantum Circuit Pioneers Behind Qubits
- Google DeepMind launches CodeMender AI to auto-fix software flaws
- Pompliano: Bitcoin’s Scarcity Will Keep Driving Price Higher
