393/68 Thursday, October 9, 2025
The Vietnamese hacker group BatShadow has been identified as the force behind a new cyberattack campaign that uses social engineering tactics to deceive job seekers and digital marketing professionals. The primary weapon of this campaign is a newly developed malware dubbed “Vampire Bot.” Attackers impersonate recruiters and send malicious files disguised as job descriptions or corporate documents. Once opened, these files trigger a malware infection chain, with the payload written in the Go programming language.
The attack chain is highly sophisticated. Hackers often deliver ZIP archives containing both a decoy job-related document—such as a PDF with details from a well-known company-and either a malicious shortcut (LNK file) or an executable file masquerading as a PDF. When the LNK file is opened, it executes a PowerShell script that connects to an external server to fetch both the decoy file and an additional ZIP archive tied to XtraViewer remote desktop software, likely intended to maintain persistent access on infected systems. The Vampire Bot malware itself arrives disguised as an executable named Marriott_Marketing_Job_Description.pdf[.]exe, which mimics a PDF. Once active, it can harvest system profile information, steal various types of sensitive data, capture screenshots, communicate with a command-and-control (C2) server, and download additional payloads.
Evidence linking BatShadow to Vietnam includes the use of IP address 103.124.95[.]161, previously tied to Vietnamese threat actors. The focus on digital marketing professionals aligns with the group’s financial motivations, as BatShadow has a history of deploying stealer malware to hijack Facebook business accounts for profit. While the group has evolved its toolkit from Agent Tesla, Lumma Stealer, and Venom RAT to Vampire Bot, the strategy of luring job seekers and digital marketing specialists remains consistent. Researchers estimate that BatShadow has been running such campaigns for at least a year.
Given this threat, users are strongly advised to exercise caution when opening unsolicited files, especially those related to job applications, to avoid falling victim to these cybercriminal operations.
Source https://thehackernews.com/2025/10/batshadow-group-uses-new-go-based.html
