BatShadow Group’s New Campaign
A recent report revealed that BatShadow Group is running a new cyber campaign targeting job seekers and digital marketing professionals. The attackers use social engineering tricks to pose as recruiters, sending malicious files disguised as job descriptions or company documents. When opened, these files trigger a hidden infection chain that installs a new Go-based malware called Vampire Bot. This malware is capable of stealing sensitive data and maintaining remote access to infected systems.
How the Infection Begins
The attackers send ZIP archives that appear harmless but contain both a decoy PDF and a malicious shortcut or executable file. When a victim opens the shortcut, it runs a PowerShell script that connects to a remote server to download more files. One of these files appears to be a marketing job description, while another includes a remote desktop application. The goal is to create a backdoor that allows attackers to maintain control of the compromised computer.
Browser-Based Deception
The campaign also uses a clever browser trick to keep victims engaged. The lure PDF file contains a link claiming to let users “preview” the job description. However, when clicked, it redirects them to a fake error page that says the browser is unsupported. The page then instructs users to open the link using a specific browser, usually Microsoft Edge. If they follow the instructions, a ZIP file downloads automatically, containing a fake job description file named Marriott_Marketing_Job_Description.pdf.exe. The file looks like a PDF but is actually an executable that launches the Vampire Bot malware once opened.
Inside the Vampire Bot
Once activated, Vampire Bot profiles the infected computer and collects sensitive information, such as system details and user data. It can also take screenshots at intervals and send all this information to a remote command server controlled by the attackers. Through this server, the criminals can issue commands, download more malware, or monitor infected systems. Therefore, this tool gives BatShadow Group long-term access and full visibility into compromised machines.
Ongoing Threats and Origins
Investigators have linked the campaign’s infrastructure to servers previously used by threat actors in Vietnam. Moreover, digital marketing professionals have been among the group’s main targets in earlier attacks that used similar social engineering tactics. These operations often aim to hijack online business accounts or steal advertising credentials. Other reports suggest that BatShadow has been active for over a year, using similar domains to distribute well-known malware families such as Agent Tesla and Lumma Stealer.
Why the Attack Succeeds
This campaign works because it exploits trust. Job seekers are eager to open files from supposed recruiters, especially when the documents look authentic. Attackers take advantage of this by padding filenames to disguise malicious executables as PDFs. As a result, victims unknowingly install malware, giving attackers access to their personal and professional data.
How to Stay Protected
To prevent such attacks, always verify the sender before opening job-related attachments. Avoid files that include double extensions, such as “.pdf.exe.” Regular cybersecurity awareness training helps employees recognize these traps before it’s too late. In addition, organizations should use advanced threat detection tools and secure email gateways to filter out dangerous attachments and phishing messages. Modern endpoint protection systems can also monitor unusual network activity, block malicious scripts, and isolate infected devices. With a layered approach combining technology and user education, both individuals and companies can stay safe from similar social engineering threats.
Sleep well, we got you covered.
