With a recently discovered Go-based malware known as “Vampire Bot,” a new threat campaign attributed to the Vietnamese threat group BatShadow is aggressively targeting job seekers and digital marketing experts. To deceive victims into starting a multi-stage infection chain, the attackers circulate infected files masquerading as job descriptions and pretend to be recruiters. This chain downloads and runs Vampire Bot, which permits system profiling, data theft, screenshot capture, and remote command execution, using fraudulent PDFs, LNK files, and PowerShell scripts. Organizations should be on the lookout for socially engineered lures that are sent through chat or email systems.

Technical Description

BatShadow group initiates the infection chain by using ZIP archives that contain malicious LNK or executable files and decoy PDFs that seem like job descriptions. These files then activate embedded PowerShell scripts that retrieve more payloads from distant servers. These payloads contain the Go-based Vampire Bot malware and a ZIP file containing parts of XtraViewer for remote access. Once launched, Vampire Bot uses methods that bypass browser-based security and take advantage of user interaction to stay persistent and in control while carrying out host profiling, data exfiltration, periodic screenshot collection, and command execution via C2 communication. The details and technicalities of the BatShadow campaign are discussed further,  

‍

Delivery and Infection Chain:

BatShadow targets job seekers and digital marketing experts with its malware, which is distributed via spear-phishing communications and ZIP files that appear like job descriptions or company documents. Either a malicious LNK file or an executable file that has been padded to look like a PDF is contained in the ZIP files. Social engineering is used to trick victims into opening these files, frequently by sending them links to fake job postings or documents that urge them to utilize Microsoft Edge to continue downloading. Their Infection Chain is followed as mentioned below,

• The victim opens a ZIP file that contains a disguised LNK or executable (padded to look like “.pdf”) and a fake PDF.
• An embedded PowerShell script executes when the LNK is executed.
• PowerShell downloads a luring PDF and a ZIP file containing more payloads (such as XtraViewer components) by contacting attacker-controlled servers.
• In order to get beyond browser scripting safeguards, the victim is sent to fraudulent landing sites that require manual Edge usage (programmatic Edge launch or user-initiated URL paste).
• The website triggers an automatic ZIP download of the malicious executable (e.g., Marriott_Marketing_Job_Description.pdf.exe) and shows faked problems.
• To create persistence, the downloaded executable starts the Go-based Vampire Bot and its companion applications (XtraViewer).
• In order to receive commands, exfiltrate data, take screenshots, and retrieve additional payloads, Vampire Bot starts C2 communication after execution.

‍

Technical Capabilities:

The modular design of the Go-based malware Vampire Bot allows for extensive system monitoring and data theft. When it executes, it gathers system metadata, profiles the compromised host, and exfiltrates private data, including credentials that have been stored. The malware can continuously communicate with a command-and-control (C2) server and take screenshots at predetermined intervals. This channel essentially gives the attacker continuous access and control over the compromised machine by enabling it to receive remote commands, carry out extra payloads, and carry out additional malicious actions. Additionally, it incorporates remote desktop access technologies like XtraViewer to increase control capabilities and fortify persistence.

Attribution and Evolution:

Infrastructure overlaps and IP addresses previously connected to threat actors operating in Vietnam serve as the basis for BatShadow attribution. The organization now uses unique payloads like Vampire Bot instead of commonly accessible malware like Agent Tesla and Lumma Stealer. Its growing dependence on Go-based malware and deceptive delivery strategies points to a move toward more customized, focused campaigns with enhanced evasion strategies.

‍

Active Campaign and Geographic Spread:

For more than a year, the BatShadow campaign has been using multi-stage malware distribution and socially engineered recruiter lures to target job seekers and digital marketing professionals. Despite being associated with Vietnam through IP addresses and infrastructure, the campaign impersonates worldwide brands and employs English-language content, suggesting a wide geographic reach throughout Southeast Asia, North America, and other English-speaking countries. By using advanced strategies to get past barriers and increase infection rates, the group targets areas with a high concentration of remote and contract marketing positions. Companies in these fields, particularly those involved in marketing and human resources, should continue to exercise caution.

‍

Conclusion:

The ongoing campaign by BatShadow demonstrates the increasing sophistication of threat actors who use multi-stage delivery chains and social engineering to target susceptible groups such as digital marketers and job seekers. The combination of browser exploits, deceptive recruitment lures, and unique Go-based malware highlights the urgent need for increased awareness, multi-layered security, and user education. In order to reduce the risk of compromise and long-term illegal access, organizations must prioritize keeping monitoring out for suspicious files, implement stringent email filtering, and train staff to spot such schemes.

Impact

Vampire Bot infections can have serious repercussions, such as compromising user passwords, gaining illegal access to business accounts, and stealing confidential personal and corporate data. Attackers can carry out continuous espionage, steal intellectual property, and move laterally within networks due to the malware’s capacity to take screenshots and retain permanent remote control. While corporations face risks including data breaches, operational disruptions, reputational harm, and possible regulatory penalties, individuals may experience identity theft or financial loss as a result.

IOC and Context Details

Recommended Actions

• Educate employees to recognize and report suspicious job offer emails and attachments.
• Implement advanced email filtering to block ZIP, LNK, and executable files disguised as documents.
• Restrict PowerShell script execution and monitor for unusual command-line activity.
• Enforce browser policies limiting the use of Microsoft Edge for untrusted downloads.
• Deploy endpoint detection solutions to identify and block Go-based malware behaviors.
• Regularly update and patch remote access software to reduce exploitation risks.
• Conduct routine threat hunting for indicators of compromise related to BatShadow activity.
• Maintain strong credential hygiene and enable multi-factor authentication on all business accounts

‍

References

https://securitybrief.co.uk/story/batshade-vietnamese-threat-actor-expands-its-digital-operations

‍