BatShadow launches Vampire Bot in fake job campaigns

BatShadow launches Vampire Bot in fake job campaigns

Threat Group – BatShadow Group
Threat Type – Multi-stage info-stealer and remote access bot
Exploited Vulnerabilities – Social engineering, Windows default “hide known file extensions,” LNK-launched encoded PowerShell, abuse of legitimate remote access software for persistence
Malware Used – Vampire Bot (Go-compiled)
Threat Score7.6 🔴 High — Multi-stage chain with LNK→PowerShell execution, behaviour-evasive Go binary, and persistence via legitimate remote-access tooling. Cred theft, host profiling, screenshotting, and flexible C2 raise lateral-movement and data-loss risks.
Last Threat Observation – 8 October 2025


Overview

Vampire Bot is a newly identified, previously undocumented malware attributed to the Vietnam-linked BatShadow Group. First seen in October 2025 targeting job seekers and digital-marketing professionals, the campaign blends tailored phishing, a LNK-to-PowerShell telescoping chain, and persistence through a legitimate remote desktop product to gain durable access, exfiltrate data, and stage follow-on operations.

The critical differentiator is Vampire Bot’s Go (Golang) build, which complicates static signature detection and enables rapid re-compilation to defeat hash-based controls. The initial access arrives in ZIP archives containing a malicious .LNK disguised as a document. When launched, the LNK executes Base64-encoded PowerShell that downloads both a benign decoy document and the primary payloads, including a legitimate remote-access tool (observed: XtraViewer) used for persistence and hands-on control. The Go implant conducts host profiling, information theft, screenshot capture, and C2 beaconing to attacker infrastructure (e.g., a careers-themed domain).

The targeting of marketing and job-seeking cohorts is strategic: these personas often hold or will shortly gain access to high-value corporate SaaS (ads, analytics, social) and may bridge personal and enterprise environments, offering a stealthy beachhead into corporate networks.


Key details

Delivery method

VectorDetailsDetection notes
Phishing ZIPTailored recruiter/job-offer theme. Archive contains a .LNK posing as a job description or corporate PDF.Block ZIPs with LNKs. Flag double-extension lures and doc-icon shortcuts.
Execution deceptionExploits default Windows “hide known file extensions”; filename appears as *.pdf but is actually *.pdf.lnk.Enforce showing file extensions; educate users to spot .lnk.
PowerShell stageLNK launches encoded PowerShell to fetch a decoy PDF and a second ZIP containing XtraViewer, then executes it.Alert on explorer.exepowershell.exe with -EncodedCommand/high-entropy args; time-correlate dual fetches.
Persistence via RMMXtraViewer (legitimate remote desktop) installed/executed (often from user-writable paths) to blend with normal admin activity.Application control: only allow sanctioned RMM; block unsigned/volatile-path execution.
C2Go binary communicates with attacker infra, can receive commands and stage modules.DNS/HTTP egress monitoring, rare-process network baselining, beacon-timing analytics.

Target

  • Primary: Job seekers and digital-marketing professionals (contractors/freelancers included).
  • Secondary: Corporate environments reachable through victims’ SaaS credentials, ad platforms, social accounts, or VPN once employment begins.

Functions

  • Host profiling and environment reconnaissance to triage victim value.
  • Information theft (documents, browser data, credentials, session cookies).
  • Screenshot capture on configurable intervals.
  • C2 command execution and payload staging for modular extension.
  • Persistence and interactive access via a legitimate remote-access tool.

Obfuscation

  • Go static linking and easy re-compilation undermine hash/signature detection.
  • Social mimicry (job descriptions, corporate themes; file-icon spoofing).
  • Living-off-the-land with PowerShell and legitimate RMM (XtraViewer) to reduce telemetry friction.
  • Domain impersonation patterns (e.g., careers-themed) for C2 camouflage.

Threat actor profile – BatShadow Group

Attribution and operational cadence

BatShadow has been publicly tracked for at least a year prior to this campaign, operating from Vietnam with persistent, goal-oriented activity. The October 2025 wave focuses on job seeker/marketing demographics to harvest credentials to high-value corporate systems and to seed eventual corporate ingress once victims transition into employer environments.

Evolution and increased sophistication

Historically aligned with MaaS stealers (e.g., Lumma, Agent Tesla), BatShadow’s move to the custom Go-based Vampire Bot represents a capability elevation: bespoke C2, tuned evasion, and resilience against law-enforcement takedowns that frequently disrupt commodity stealer ecosystems. Proprietary tooling reduces dependence on rented infrastructure and extends operational longevity.

Strategic intent and targeting analysis

By compromising individuals at the edge—especially those using personal devices while job hunting—BatShadow creates beachheads outside traditional corporate perimeters. Vampire Bot’s likely info-stealing and RAT features enable credential collection, SaaS account control (ads/social), spear-phishing into employers, and pivoting via VPN once hired.


Technical deep dive – Go binary and telescoping chain

Why Go matters to defence

  • Massive statically linked executables complicate AV heuristics and inflate noise for static inspection.
  • Re-compilation with minor source changes yields completely new hashes, rendering hash allow/block-lists brittle.
  • Symbol stripping hinders reversing; defenders need Go-aware tooling (e.g., pclntab parsing) to recover function metadata and accelerate triage.

Infection chain mapped to MITRE ATT&CK

StageATT&CKWhat to watch for
Initial accessTA0001 / T1566.001 Spear-phishing attachmentZIPs with LNK masquerading as PDFs/docs; decoy+payload pairing.
User executionTA0002 / T1204.001Shortcut double-click leading to PowerShell; doc-icon .lnk with hidden extension.
Command & scriptingT1059.001 PowerShell-EncodedCommand, long Base64/entropy; outbound fetch of two artifacts (decoy + payload).
PersistenceTA0003 / T1547.001 (potential)RMM foothold; auto-start via registry/startup if configured.
Defence evasionTA0005 / T1036Legitimate tool execution from %TEMP%/Downloads, unsigned binaries, rare/first-seen processes.
CollectionTA0009 / T1113 Screen captureAPI calls suggesting desktop capture by untrusted processes.
C2TA0011 / T1071Regular-interval beacons to new/low-reputation domains.
Operational note: Some lures instruct victims to use Microsoft Edge for follow-on downloads to bypass stricter Chrome defaults—evidence of pre-tested social engineering.

Known Indicators of Compromise (IoCs)

Treat all network indicators as defanged and contextual. Validate internally before enforcement.

Network

  • Domains: api3[.]samsungcareers[.]work (observed C2)
  • Beaconing pattern: Regular-interval DNS/HTTPS from first-seen or unsigned processes to new/low-reputation destinations.

Files and persistence

  • Artifacts: .lnk files with document icons and double extensions (e.g., *.pdf.lnk) in Downloads/email temp paths.
  • RMM foothold: XtraViewer binaries/components executed or installed from %TEMP%, %APPDATA%, Downloads, or launched directly by script interpreters.
  • Go payloads: Large, unsigned, first-seen executables in user-writable paths.

Process and telemetry

TypeIndicator (contextual)Confidence
Process ancestryexplorer.exepowershell.exe with -EncodedCommand or high-entropy command linesHigh
Dual fetch sequencePowerShell retrieves a decoy PDF followed by a payload ZIP/EXEMedium–High
Screen captureUntrusted process invoking screen-capture-related APIsMedium

Hashes

  • Not publicly verified for Vampire Bot at time of writing; prefer behaviour-based detections until vendor-confirmed hashes are available.

Detection engineering and rules of thumb

High-fidelity behavioural detections

  1. LNK → Encoded PowerShell pivot
    Parent explorer.exe spawning powershell.exe with -EncodedCommand or high-entropy arguments.
  2. Unusual binary execution from volatile paths
    Unsigned executables or legitimate RMMs (XtraViewer) starting from %TEMP% / %APPDATA% / Downloads.
  3. Beaconing and rare process egress
    First-seen processes generating regular-interval egress to new/low-reputation domains; correlate with process age and signer.
  4. Screen capture from untrusted process
    API usage consistent with desktop capture by recently dropped, unsigned processes.

Sysmon/EDR logic suggestions

  • Process Create: ParentImage = *\explorer.exe AND Image = *\powershell.exe AND (CommandLine CONTAINS "-EncodedCommand" OR CommandLine MATCHES base64_high_entropy_regex)
  • File Creation/Load: TargetFilename MATCHES *\Downloads\* OR *\AppData\*\Temp\* AND (ImageSigned=false OR Publisher NOT IN allowlist)
  • Network: Beaconing detector for new binaries: first_seen_process AND regular_interval_outbound AND dest_domain_age < 30d OR domain_reputation=low.

Mitigation and prevention

The 3 Cs — immediate actions

Containment
Isolate endpoints showing the LNK→PowerShell chain, dual downloads, or unsanctioned RMM installs. Acquire memory and volatile data for triage.

Contextual detection
Emphasise behavioural detections: parent-child pivots, encoded commands, rare process egress, volatile-path execution, and screen-capture activity.

Countermeasures
Disable “Hide extensions for known file types.” Enforce application allow-listing and strictly control RMM usage by publisher and path.


Mitigation Checklist

CategoryControl / ActionObjectiveVerification / Status
User Awareness & TrainingConduct targeted awareness campaigns for HR, marketing, and recruitment teams about ZIP + LNK phishing and hidden file extensions. Include real-world simulation exercises.Prevent social engineering success through user education.☐ Implemented ☐ In Progress ☐ Gap
Email & Attachment FilteringBlock inbound ZIP archives containing .LNK or executable files. Apply sandbox detonation for attachments using recruiter or job-offer themes.Stop the initial infection vector before delivery to the endpoint.☐ ☐ ☐
File Extension VisibilityEnforce Group Policy to disable “Hide extensions for known file types” across all Windows endpoints.Defeat the visual deception used in Vampire Bot lures.☐ ☐ ☐
Endpoint Protection (EDR/AV)Deploy EDR rules to detect explorer.exepowershell.exe -EncodedCommand execution, large unsigned Go binaries, and PowerShell-launched RMM installs.Detect high-fidelity behavioural indicators of compromise.☐ ☐ ☐
Application Control / WhitelistingAllow only approved remote access tools (e.g., legitimate RMM). Block unsanctioned software such as XtraViewer when not explicitly authorized. Restrict binary execution from %TEMP%, Downloads, and AppData.Eliminate malicious persistence via legitimate tools or transient directories.☐ ☐ ☐
PowerShell HardeningEnable Constrained Language Mode where practical. Require signed scripts, enforce execution policy, and enable full Script Block Logging and transcription to SIEM.Limit abuse of PowerShell for encoded or obfuscated payloads.☐ ☐ ☐
Network & DNS MonitoringMonitor for regular-interval beaconing and connections to new or low-reputation domains (e.g., careers-themed). Alert on unusual JA3/SNI patterns from unsigned binaries.Detect C2 communications and data exfiltration activity.☐ ☐ ☐
SaaS and Identity SecurityEnforce MFA/2FA across all SaaS and corporate accounts. Monitor for unusual logins from new devices or regions.Reduce the value of stolen credentials.☐ ☐ ☐
System Hardening & PatchingApply latest OS and browser updates. Enable SmartScreen, Attack Surface Reduction (ASR) rules, and disable legacy scripting engines.Reduce exploit surface and block common file-based attacks.☐ ☐ ☐
Incident Response ReadinessUpdate playbooks for LNK-to-PowerShell and Go-binary analysis. Pre-install tools such as Redress or Ghidra Go plugins for rapid reversing.Decrease response time during live incidents involving Go malware.☐ ☐ ☐
Threat Hunting & Continuous MonitoringEstablish recurring hunts for volatile-path executions, PowerShell encoded commands, and screen-capture API calls. Integrate telemetry with SIEM for correlation.Maintain ongoing visibility and early detection of evolving variants.☐ ☐ ☐
Credential & Session HygieneImmediately rotate passwords and revoke tokens when compromise is suspected, especially for ad-platform and marketing accounts.Limit post-infection lateral movement and data theft.☐ ☐ ☐
Data Loss Prevention (DLP)Monitor for unusual outbound file transfers, screenshot exfiltration, or compressed data archives leaving endpoints.Detect and block data theft attempts.☐ ☐ ☐
Post-Incident RecoveryValidate that RMM tools (like XtraViewer) are removed or re-installed from trusted sources only. Perform endpoint re-imaging where compromise is confirmed.Ensure full remediation and removal of persistent footholds.

Risk assessment

  • Likelihood: Medium–High
  • Impact: High
  • Detectability: Medium
  • Overall: 7.6 High — warrants full incident response on confirmed cases and proactive hardening.

Conclusion

Vampire Bot marks a tactical escalation for BatShadow: from commodity stealers to a custom Go-compiled platform delivered via LNK-to-PowerShell chains, with persistence through legitimate remote-access software. Success depends on behavioural analytics, UI hardening (show extensions), and tight RMM governance. With these controls, the campaign’s noisy pivots become detectable and containable.


Sources


The Hacker News – BatShadow Group Uses New Go-Based Vampire Bot Malware to Hunt Job Seekers – https://thehackernews.com/2025/10/batshadow-group-uses-new-go-based.html

SecurityBrief - BatShade: Vietnamese threat actor expands its digital operations - https://securitybrief.asia/story/batshade-vietnamese-threat-actor-expands-its-digital-operations