A Vietnamese threat group dubbed BatShadow has been linked to a new campaign that uses social engineering to trick job seekers and digital marketing professionals into installing never-before-seen malware called Vampire Bot.
The attackers pose as recruiters and distribute malicious files disguised as legitimate job descriptions and corporate documents. When a user opens these lures, it triggers a multi-stage infection chain involving a Go-based malware.
The Attack Chain and Evasion Tactics
The initial attack typically begins with a ZIP archive that contains a decoy PDF and a malicious shortcut (LNK) or executable file masked to look like a PDF. When the victim launches the LNK file, it runs an embedded PowerShell script. This script covertly contacts an external server to download a legitimate-looking lure document in one observed case, a PDF for a marketing job at Marriott.
Crucially, the PowerShell script also downloads a ZIP file containing files related to XtraViewer, a remote desktop connection software, likely to secure persistent access to the compromised system.
If the victim clicks a "preview" link within the lure PDF, they are sent to a landing page that displays a fake browser error message. This message instructs the user to manually copy the URL and open it in the Microsoft Edge browser, claiming the page only supports downloads there.
This instruction is a key evasion tactic. While browsers like Chrome might automatically block scripted pop-ups and redirects, manually copying and pasting the URL into Edge is treated as a user-initiated action, allowing the infection chain to proceed.
Deployment of Vampire Bot
If the victim follows the attacker's instructions, a second error message appears in Edge, stating the online PDF viewer is experiencing an issue and the file has been "compressed and sent to your device." This triggers the auto-download of a ZIP archive. Inside is the final malicious executable, cleverly named something like "Marriott_Marketing_Job_Description.pdf.exe". The file uses extra spaces between ".pdf" and ".exe" to hide the true extension and impersonate a standard PDF document.
This executable is the Vampire Bot, a Golang malware capable of extensive compromise. Its functions include profiling the infected host, stealing a wide range of information, capturing screenshots at set intervals, and maintaining communication with an attacker-controlled server (api3.samsungcareers[.]work) to receive and execute remote commands or fetch further payloads.
Attribution to BatShadow
BatShadow's connection to Vietnam is based on the use of a previously flagged Vietnamese IP address (103.124.95[.]161). Furthermore, digital marketing professionals have historically been a prime target for Vietnamese financially motivated groups, who aim to hijack Facebook business accounts using various stealer malware.
The BatShadow group is believed to have been active for at least a year, using similar domains (like samsung-work.com) in prior campaigns to spread other malware families, including Agent Tesla, Lumma Stealer, and Venom RAT.
In summary, the BatShadow threat group is highly effective at using sophisticated social engineering and multi-stage infection chains to deliver the powerful, Go-based Vampire Bot for system surveillance, data exfiltration, and remote control.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
