Vampire Bot Malware
A Vietnamese-speaking threat actor tracked as BatShadow is running a targeted campaign that lures job seekers and digital‑marketing professionals into installing a previously undocumented Go‑based malware the researchers call Vampire Bot. The group impersonates recruiters and distributes seemingly legitimate job descriptions and corporate PDFs that, when interacted with, trigger a multi‑stage infection chain and deliver remote surveillance and data‑theft capabilities.
Table of Contents
Social Engineering And Lure Delivery
The attackers craft recruitment‑style messages and ZIP attachments that contain decoy PDF files alongside malicious shortcuts (LNK) or executables disguised as PDFs. The document lures are specifically aimed at marketing roles (one lure referenced a Marriott marketing job) to increase credibility with the intended victims. Victims are encouraged to 'preview' or download the job description, which starts the multi‑stage exploitation sequence.
Infection Chain Progression
The ZIP packages include a malicious LNK that runs an embedded PowerShell script. That script contacts an external server to fetch a lure PDF and a separate ZIP bundle that contains files relating to XtraViewer (remote‑desktop software). The XtraViewer components are executed — likely to establish persistence or remote access — and the chain continues until the Go executable is deployed.
Abusing Edge Redirects
A key trick in the campaign is a landing page that shows a fake 'unsupported browser' error and instructs victims to copy the URL and open it in Microsoft Edge. Scripted redirects are often blocked by modern browsers, so the attackers rely on convincing the user to perform a manual action (copy/paste into Edge), which is then treated as user‑initiated and allows the download flow to continue. Once opened in Edge the page shows another fake error claiming the PDF was compressed and 'sent to your device,' which triggers an automatic ZIP download.
Payload And Decoy Naming Trick
The auto‑downloaded ZIP contains the purported job description and a malicious executable named to appear like a PDF (for example, 'Marriott_Marketing_Job_Description.pdf.exe'). The executable uses filename padding (extra spaces between '.pdf' and '.exe') so it looks like a PDF in some views, increasing the likelihood that victims will run it.
Capabilities Of Vampire Bot
The dropped executable is a Golang binary dubbed Vampire Bot. Its observed capabilities include:
- enumerating and profiling the infected host,
- stealing a broad set of data (credential stores, files, etc.),
- taking screenshots on a configurable schedule,
and - maintaining command‑and‑control communication with an attacker server (reported as api3.samsungcareers.work) to receive commands or download additional payloads.
Attribution And Infrastructure
Analysts link this activity to Vietnam based on infrastructure reuse — for example, an IP address (103.124.95.161) previously associated with Vietnam‑linked operators — and on targeting patterns. BatShadow has targeted digital‑marketing professionals before and overlaps with other financially motivated Vietnamese groups known to deploy stealers that hijack Facebook Business assets. The group appears to have been active for at least a year and has previously used domains such as samsung-work.com to distribute malware families including Agent Tesla, Lumma Stealer, Venom RAT, and, in October 2024, campaigns distributing Quasar RAT via similarly booby‑trapped job description files.
Why The Attack Is Effective?
BatShadow combines industry‑relevant lures (marketing job ads), filename tricks, staged payloads (to evade simple file scanning), and a flow that coerces a manual browser action to bypass scripted redirect protections. That mix of social engineering and multi‑stage technical steps increases the chances of successful compromise and long‑term access.
Conclusion
BatShadow's campaign underscores how effective targeted social engineering is when paired with a staged, evasive technical chain. Organizations that recruit frequently or handle applicant traffic — and professionals in digital marketing who manage online assets — should harden mail/attachment handling, apply strict execution controls, and treat recruitment‑style attachments as high‑risk until validated.
