BatShadow APT Launches Vampire Bot Campaign, Targeting Job Seekers with Malicious Samsung Lures

The threat actor known as BatShadow, linked to Vietnam, has launched a new malicious campaign targeting job seekers and digital marketing professionals. Posing as recruiters, the attackers distribute forged job descriptions; when victims open the files, a multi-stage infection unfolds, ultimately delivering a previously undocumented Go-written malware dubbed Vampire Bot.

The infection chain begins with a ZIP archive containing a lure — a seemingly legitimate PDF — and a malicious executable masquerading as that PDF. Activating the faux shortcut runs a PowerShell script that contacts a remote server to fetch the counterfeit job posting, presented as a document from a purported Marriott hotel. Simultaneously, the script retrieves a ZIP archive with components of XtraViewer, a remote-access utility the operators likely use to establish persistence.

Victims who visit the spoofed page are shown a message claiming their browser is unsupported and are prompted to open the site in Microsoft Edge. If they comply, a secondary decoy notifies them of an “online-viewer fault” and purports to auto-deliver the file to their device. The downloaded ZIP contains an executable disguised as a PDF by inserting spaces between “.pdf” and “.exe,” fooling cursory inspection.

The final stage installs Vampire Bot — a malware package capable of harvesting system information, taking periodic screenshots, exfiltrating collected data to a command server, and executing remote instructions. The command-and-control address is cloaked beneath a domain styled to resemble a Samsung corporate subunit, a ruse intended to hinder detection.

Attribution to Vietnam rests on indicators such as IP addresses previously observed in attacks associated with that country. The campaign’s focus on marketing professionals aligns with a pattern: stolen credentials are often leveraged to seize corporate social-media accounts. Similar schemes have been recorded before — notably in 2024, when another Vietnam-linked group distributed Quasar RAT using malicious job descriptions.

The use of domains mimicking major brands (for example, “samsung-work[.]com”) and the repertoire of previously deployed payloads — Agent Tesla, Lumma Stealer, and Venom RAT — suggest BatShadow has operated for at least a year. This latest operation underscores the group’s continued reliance on sophisticated social-engineering chains, exploiting job-seekers’ trust and meticulously orchestrated delivery mechanisms to compromise targets.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy