Rescana Threat Intelligence Report

BatShadow Group Uses New Go-Based 'Vampire Bot' Malware to Hunt Job Seekers

Date: October 7, 2025

Executive Summary

A newly identified campaign orchestrated by the Vietnamese threat actor BatShadow is actively targeting job seekers and digital marketing professionals with a sophisticated, multi-stage attack. The campaign leverages advanced social engineering, fake job offers, and a novel Go-based malware known as Vampire Bot. This malware is distributed through a complex infection chain involving malicious LNK files, PowerShell scripts, and decoy documents, ultimately enabling the attackers to exfiltrate sensitive data, hijack business accounts, and maintain persistent access to compromised systems. The campaign demonstrates a high level of technical proficiency and operational security, making it a significant threat to individuals and organizations involved in digital marketing and job recruitment.

Threat Actor Profile

BatShadow is a financially motivated threat group with origins traced to Vietnam. The group has a history of targeting digital marketing professionals and job seekers, particularly those managing or accessing Facebook business accounts. BatShadow is known for its use of multi-stage infection chains, advanced social engineering tactics, and a diverse malware arsenal, including previous deployments of Agent Tesla, Lumma Stealer, Venom RAT, and Quasar RAT. The group’s operations are characterized by their adaptability, leveraging current events and employment trends to craft convincing lures. Their infrastructure is frequently updated, with command and control (C2) domains and IP addresses often registered to Vietnamese hosting providers.

Technical Analysis of Malware/TTPs

The Vampire Bot campaign employs a highly technical infection chain designed to evade detection and maximize user interaction. The initial vector is a spearphishing email, typically masquerading as a legitimate job offer from a reputable company. The email contains a ZIP archive with a decoy PDF and a malicious LNK or executable file, often named to mimic a job description (e.g., Marriott_Marketing_Job_Description.pdf.exe). The attackers exploit Windows’ default behavior of hiding file extensions, padding the filename with spaces to obscure the executable nature of the file.

Upon execution, the LNK file triggers an embedded PowerShell script. This script downloads both a decoy PDF and a ZIP archive containing XtraViewer, a legitimate remote desktop tool repurposed for persistence. The decoy PDF is presented to the victim, while XtraViewer is silently installed to establish remote access.

The decoy PDF further entices the victim by including a link to "preview" the job description. This link redirects the user to a fake error page, instructing them to use Microsoft Edge for the download, thereby bypassing Chrome’s built-in security features. When the victim complies, another error message is displayed, prompting the download of a second ZIP archive containing the Go-based Vampire Bot malware.

Vampire Bot is compiled in Golang, providing cross-platform capabilities and complicating static analysis. Its core functionalities include comprehensive host profiling, credential and file theft, browser data extraction, and periodic screenshot capture. The malware maintains encrypted communication with its C2 infrastructure, allowing for remote command execution, payload delivery, and exfiltration of harvested data. The C2 domains identified in this campaign include api3.samsungcareers[.]work and samsung-work[.]com, both linked to Vietnamese hosting services and previously associated with similar campaigns.

The technical sophistication of Vampire Bot is evident in its modular architecture, anti-analysis techniques, and the use of legitimate software for persistence. The malware’s ability to capture screenshots at configurable intervals, combined with its data theft capabilities, makes it particularly effective for hijacking social media business accounts and extracting sensitive information.

Exploitation in the Wild

The BatShadow campaign has been active since at least 2024, with a marked increase in activity targeting English-speaking job seekers and digital marketing professionals. The group’s tactics have evolved from deploying commodity malware such as Agent Tesla and Quasar RAT to leveraging the custom-built Vampire Bot. Victims are typically lured through professional networking platforms and job boards, where attackers pose as recruiters from well-known organizations.

Once compromised, victims report unauthorized access to their Facebook business accounts, theft of credentials, and persistent system compromise. The attackers use the stolen information for financial gain, including the sale of hijacked accounts and the deployment of additional malware payloads. The campaign’s reliance on social engineering and file extension spoofing has enabled it to bypass traditional email security filters and endpoint protection solutions.

The infrastructure supporting the campaign is robust, with C2 domains frequently rotated and registered using privacy protection services. The primary C2 IP address, 103.124.95[.]161, is associated with multiple malicious domains and has been linked to previous BatShadow operations. The group’s use of legitimate remote desktop software for persistence further complicates detection and remediation efforts.

Victimology and Targeting

The primary targets of the BatShadow campaign are job seekers and digital marketing professionals, particularly those managing high-value social media business accounts. The attackers focus on individuals with access to Facebook business tools, leveraging stolen credentials to hijack accounts and monetize them through fraudulent advertising or resale.

Victims are typically located in English-speaking countries, although the campaign’s infrastructure and operational language indicate a Vietnamese origin. The use of professional networking platforms and job boards as initial contact points allows the attackers to cast a wide net, increasing the likelihood of successful compromise. The campaign’s emphasis on digital marketing professionals suggests a strategic focus on individuals with access to valuable online assets.

Mitigation and Countermeasures

Organizations and individuals can reduce their risk of compromise by implementing a multi-layered security strategy. User awareness training is critical, with a focus on recognizing suspicious job offers, verifying sender identities, and understanding the risks associated with opening files from unknown sources. Enabling file extension visibility in Windows is essential to prevent the execution of disguised executables such as .pdf.exe files.

Network administrators should proactively block known malicious domains and IP addresses associated with the campaign, including api3.samsungcareers[.]work, samsung-work[.]com, and 103.124.95[.]161. Email security solutions should be configured to flag and quarantine ZIP archives containing LNK or executable files, particularly those received from external sources.

Endpoint detection and response (EDR) solutions should be deployed to monitor for suspicious PowerShell activity, unauthorized installation of remote desktop software, and anomalous outbound connections to known C2 infrastructure. Regular audits of user accounts, especially those with access to business-critical social media platforms, can help identify unauthorized access and mitigate the impact of account hijacking.

Incident response plans should be updated to include procedures for handling social engineering attacks, malware infections, and account compromise. Organizations are encouraged to collaborate with threat intelligence providers to stay informed of emerging threats and update their defenses accordingly.

References

The Hacker News: BatShadow Group Uses New Go-Based 'Vampire Bot' Malware to Hunt Job Seekers https://thehackernews.com/2025/10/batshadow-group-uses-new-go-based.html

Aryaka Threat Research Labs Report (as cited in The Hacker News) https://thehackernews.com/2025/10/batshadow-group-uses-new-go-based.html

Cyble: Vietnamese Threat Actor Targets Job Seekers with Quasar RAT (October 2024) https://cyble.com/blog/vietnamese-threat-actor-targets-job-seekers/

MITRE ATT&CK Techniques https://attack.mitre.org/techniques/T1566/

The Cyber Security Hub on X (Twitter) https://x.com/TheCyberSecHub/status/1975624971696414741

MalwareTips Forum Discussion https://malwaretips.com/threads/batshadow-group-uses-new-go-based-vampire-bot-malware-to-hunt-job-seekers.137831/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to identify, assess, and mitigate cyber risks across their digital supply chain. Our platform leverages real-time threat intelligence, automated risk scoring, and continuous monitoring to empower security teams and reduce exposure to emerging threats. For more information about how Rescana can help your organization strengthen its cyber resilience, please contact us at ops@rescana.com. We are happy to answer any questions.