Full Report
A Vietnamese threat actor named BatShadow has been attributed to a new campaign that leverages social engineering tactics to deceive job seekers and digital marketing professionals to deliver a previously undocumented malware called Vampire Bot. "The attackers pose as recruiters, distributing malicious files disguised as job descriptions and corporate documents," Aryaka Threat Research Labs
Analysis Summary
# Threat Actor: BatShadow Group
## Attribution & Identity
The threat actor is identified as BatShadow Group, a Vietnamese threat actor. Attribution is based on the use of an IP address previously flagged as associated with actors in Vietnam (103.124.95[.]161).
## Activity Summary
BatShadow Group is active in a new campaign that uses social engineering against job seekers and digital marketing professionals. They pose as recruiters, distributing malicious files disguised as job descriptions or corporate documents via ZIP archives. The infection chain leads to the deployment of a newly discovered Go-based malware, 'Vampire Bot.' The attackers lure victims into specific browser usage (Microsoft Edge) to bypass initial security blocks and ensure the infection chain progresses.
## Tactics, Techniques & Procedures
- **Social Engineering/Phishing:** Posing as recruiters and distributing lured documents (e.g., fake Marriott job descriptions).
- **Initial Access via Malicious Files:** Using ZIP archives containing decoy PDFs alongside LNK or executable files masked as PDFs (e.g., "Marriott\_Marketing\_Job\_Description.pdf.exe").
- **Scripting for Execution:** Utilizing embedded PowerShell scripts triggered by LNK files to download and execute subsequent stages.
- **Browser Manipulation:** Tricking or forcing victims to use Microsoft Edge via complex redirect schemes to ensure user-initiated actions that bypass default browser blocks.
- **Establishing Persistence:** Downloading and executing software related to XtraViewer (a remote desktop connection tool) to establish persistent access.
- **Malware Capabilities (Vampire Bot):**
- Host profiling.
- Information theft.
- Periodic screenshot capture.
- Command and control (C2) communication for remote command execution or payload fetching.
- *(No specific MITRE ATT&CK IDs were provided in the article.)*
## Targeting
- **Sectors:** Individuals seeking employment, particularly digital marketing professionals.
- **Geography:** Linked to Vietnam via IP association, though the social engineering targets appear global (mention of Marriott).
- **Victims:** Job seekers and digital marketing professionals.
## Tools & Infrastructure
- **Malware families used:**
- **Vampire Bot:** A new, previously undocumented malware written in Go (Golang).
- XtraViewer (used contextually for persistence, likely legitimate software abused).
- **Infrastructure (C2, domains, IPs):**
- Attacker-controlled server: api3[.]samsungcareers[.]work
- Associated IP: 103[.]124[.]95[.]161 (flagged for prior association with Vietnamese threat actors)
## Implications
BatShadow represents a financially motivated Vietnamese threat actor leveraging topical lures (job seeking) to deploy sophisticated, custom malware (Vampire Bot). Their advanced social engineering techniques, specifically manipulating browser behavior to ensure execution, indicate a mature operational security awareness and a focus on deep infiltration and data theft, aligning with recent trends seen from other Vietnamese actor groups targeting digital marketing professionals.
## Mitigations
- Exercise extreme caution with unsolicited job offers or corporate documents received via email or untrusted links.
- Be wary of files disguised by double extensions (e.g., using extra spaces to hide the true file type).
- Implement endpoint security solutions capable of detecting fileless execution methods (e.g., PowerShell activity) and behavior associated with remote access tools execution.
- Monitor network traffic for connections to known malicious infrastructure, such as api3[.]samsungcareers[.]work.
- Educate staff, especially job seekers, on browser security features and the risks associated with manual URL copying under duress.