A Vietnamese hacking group known as BatShadow is using sophisticated social engineering to target job seekers and digital marketing professionals. The group’s current campaign is using a new, previously unknown malware called Vampire Bot. Attackers pose as recruiters and send out malicious files disguised as job descriptions and other corporate documents. Once opened, these files start a complex infection chain with the goal of gaining persistent access to the victim’s computer.
The attack starts with a malicious ZIP file that contains a decoy PDF and a harmful shortcut or executable file disguised as a PDF. When the victim opens the file, a PowerShell script runs in the background. This script connects to an external server to download a legitimate-looking PDF, such as a marketing job description for Marriott. Simultaneously, it downloads and runs a ZIP file for XtraViewer, a remote desktop program, likely to maintain control over the compromised device.
When victims click a link in the decoy PDF, they’re redirected to a fake error page. This page tells them their browser is unsupported and that they should use Microsoft Edge. While Chrome may block the redirect, the attackers instruct the victim to manually copy and paste the URL into Edge. This manual action tricks the browser into continuing the infection chain because it’s seen as a user-initiated action rather than a scripted one.
If the victim follows the instructions and opens the URL in Edge, another error message appears, claiming the “online PDF viewer is currently experiencing an issue.” This triggers an automatic download of a ZIP file that supposedly contains the job description. However, the file is a malicious executable named “Marriott_Marketing_Job_Description.pdf.exe,” with extra spaces between “.pdf” and “.exe” to hide its true nature. This executable is the Vampire Bot malware, which is a Golang-based program.
Once installed, Vampire Bot can steal a wide variety of information, capture screenshots, and communicate with the attacker’s server to receive commands and download more harmful programs. The group’s connection to Vietnam is supported by a previously used IP address. Moreover, the targeting of digital marketing professionals aligns with the tactics of other Vietnamese financially motivated groups who often steal Facebook business accounts. BatShadow has been active for at least a year, using similar domains to spread other malware families like Agent Tesla and Venom RAT.
Reference:
