BatShadow job-seeker social-engineering campaign
Campaign
Summary
Hide ▲
Show ▼
BatShadow is running a phishing campaign that targets job seekers and digital marketing professionals with ZIP archives and lure PDFs that deliver Vampire Bot malware. The malware is written in Go and is built for continuous desktop surveillance, screenshot capture, host profiling, and data theft from compromised systems. Aryaka Threat Research Labs attributed the activity to the Vietnam-based group BatShadow, which uses hidden malicious files and deceptive job-application material to trigger infection. The campaign matters because it blends into ordinary hiring workflows while giving operators persistent visibility and control over victim machines.
Related Happenings
KongTuke Microsoft Teams initial access campaign
Campaign
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
Campaign
First: 20.04.2026 18:01
Last: 20.04.2026 18:01
Sources 1
About this happening:
The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
CampaignAbout this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Timeline
-
07.10.2025 20:04 3 articles · 7mo ago
BatShadow campaign uses Vampire Bot against job seekers
Initial DisclosureBatShadow is using recruiter impersonation and booby-trapped job documents to target job seekers and digital marketing professionals with a previously undocumented Go-based malware called Vampire Bot. The delivery chain uses ZIP archives, LNK files, embedded PowerShell, lure PDFs tied to a Marriott marketing job, fake browser and download-error pages that steer victims to Microsoft Edge, and a masqueraded payload named Marriott_Marketing_Job_Description.pdf.exe. Vampire Bot can profile the infected host, steal information, capture screenshots, and communicate with the attacker-controlled server api3.samsungcareers[.]work for commands or additional payloads, while related infrastructure such as 103.124.95[.]161 and samsung-work.com suggests the group has operated for at least a year.
Show sources
- BatShadow Group Uses New Go-Based 'Vampire Bot' Malware to Hunt Job Seekers — thehackernews.com — 07.10.2025 20:04
- BatShadow Group Uses New Go-Based 'Vampire Bot' Malware to Hunt Job Seekers — thehackernews.com — 07.10.2025 20:04
- Vampire Bot Malware Sinks Fangs Into Job Hunters — www.darkreading.com — 09.10.2025 00:02