The UNC6229 threat actor group from Vietnam is executing a targeted social engineering campaign aimed at individuals working remotely in digital advertising and marketing sectors. The attackers create fake company profiles on legitimate job platforms to post attractive remote job openings, enticing victims to apply. Once contact is established, the attackers send malware-laden attachments or phishing links designed to steal credentials and deploy remote access trojans (RATs). They abuse legitimate business and CRM platforms to enhance the credibility of their communications, thereby increasing the likelihood of victim engagement. The campaign's primary objective is to compromise high-value corporate accounts, particularly those managing digital advertising assets, enabling hijacking of ad accounts and potentially financial fraud or espionage. The attack chain involves victim-initiated contact, social engineering (T1204.002), phishing (T1566.001 and T1566.002), and use of legitimate infrastructure for command and control (T1102). Indicators of compromise include multiple malware hashes and a suspicious domain used in the campaign. While no CVE or direct exploit is involved, the campaign leverages human factors and trusted platforms to bypass technical defenses. The threat is ongoing as of late 2025, with no known exploits in the wild beyond the social engineering vector.

For European organizations, especially those with remote digital advertising and marketing teams, this campaign poses significant risks. Compromise of credentials can lead to unauthorized access to corporate systems and digital advertising platforms, resulting in financial losses through ad fraud, reputational damage, and potential data breaches. The use of legitimate platforms for phishing increases the difficulty of detection, raising the likelihood of successful attacks. Organizations may face operational disruption if malware infections spread or if key accounts are hijacked. Given the reliance on remote work, the attack surface is expanded, and the confidentiality and integrity of sensitive corporate and client data are at risk. Additionally, compromised advertising accounts can be used to disseminate further malicious content or misinformation, amplifying the impact. The medium severity reflects moderate ease of exploitation combined with targeted high-value outcomes.

European organizations should implement targeted awareness training focused on recognizing fake job postings and social engineering tactics specific to recruitment scams. Security teams should monitor job platforms for suspicious company profiles and reported fake postings related to their sector. Enforce multi-factor authentication (MFA) on all corporate and digital advertising accounts to reduce the risk of credential misuse. Deploy advanced email and web filtering solutions capable of detecting phishing links and malware attachments, including those leveraging legitimate business platforms. Conduct regular audits of digital advertising accounts for unauthorized changes or access. Establish incident response playbooks tailored to credential theft and malware infections originating from recruitment scams. Encourage verification of job offers through direct company channels before engagement. Finally, share threat intelligence indicators such as hashes and domains with security operations centers (SOCs) to enable proactive detection.