Image by SCARECROW artworks, from Unsplash
Hackers Target Job Seekers With New “Vampire Bot” Malware
Reading time: 2 min
Last Updated: Oct 9, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Vietnamese hackers are using fake job offers to trick professionals into installing Vampire Bot, a new malware that steals data and enables surveillance.
In a rush? Here are the quick facts:
- Fake job offers hide malware disguised as PDFs and ZIP files.
- Vampire Bot steals data, screenshots, and enables remote access.
- Infection chain uses fake Marriott job description to trick victims.
A Vietnamese hacking group known as BatShadow has been linked to a new cyber campaign that targets job seekers and digital marketing professionals using fake job offers to spread malware.
The campaign, which was first reported by The Hacker News, delivers a previously unknown malicious program called Vampire Bot.
According to researchers Aditya, “The attackers pose as recruiters, distributing malicious files disguised as job descriptions and corporate documents. When opened, these lures trigger the infection chain of a Go-based malware.”
The attacks start with ZIP files that contain decoy PDFs and malicious shortcut or executable files made to look like PDFs. Once opened, these files run hidden PowerShell scripts that download additional malware components from an external server.
One lure document pretends to be a marketing job offer at Marriott, while the downloaded malware installs XtraViewer, a remote desktop tool likely used to gain ongoing access to the victim’s computer.
Victims are then tricked into clicking on fake “preview” links that lead to deceptive web pages. These pages claim the user’s browser is unsupported and tell them to open the file in Microsoft Edge.
When they do, a ZIP file automatically downloads containing the fake job description and the real malware — a file named “Marriott_Marketing_Job_Description.pdf.exe.”
The Vampire Bot malware, written in the Go programming language, can steal personal data, take screenshots, and communicate with an attacker-controlled server at api3.samsungcareers[.]work.
BatShadow’s ties to Vietnam were uncovered through a known IP address (103.124.95[.]161) previously linked to Vietnamese hacker groups.
Researchers say the group has been active for at least a year, reusing similar fake domains like samsung-work[.]com to spread other malware families, including Agent Tesla, Lumma Stealer, and Venom RAT.
Aryaka warned, “The BatShadow threat group continues to employ sophisticated social engineering tactics to target job seekers and digital marketing professionals.”
Previous Story
Latest articles 
