SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Ps aditya k sood headshot
#
Malware
#
Advanced Persistent Threat Protection
#
Email Security

BatShade: Vietnamese threat actor expands its digital operations

Wed, 8th Oct 2025
By Aditya K Sood, Head, Aryaka’s Threat Research Lab

Aryaka Threat Research Labs has identified a new campaign by the Vietnamese threat actor BatShade, which continues to rely on social engineering to compromise job seekers and digital marketing professionals. The attackers pose as recruiters, distributing malicious files disguised as job descriptions and corporate documents. When opened, these lures trigger the infection chain of a Go-based malware we refer to as Vampire Bot.

This campaign demonstrates how threat actors exploit trust in professional workflows to achieve persistence, conduct system surveillance, and exfiltrate sensitive information, all while blending their activity into normal-looking traffic.

The infection typically begins with ZIP archives containing lure PDFs alongside malicious shortcut or executable files, which are masked with misleading extensions. In this case, the malicious files execute hidden PowerShell commands that display a decoy PDF to the victim while silently downloading and installing the malware in the background. The attackers also employ browser-based tricks, instructing victims to switch to specific browsers to bypass built-in protections and ensure the successful delivery of the payload.

Once executed, Vampire Bot performs detailed host profiling, collecting usernames, hardware identifiers, operating system details, privilege levels, and information on installed security products. This data is encrypted before being transmitted to the attacker's infrastructure. To maintain persistence, the malware hides itself in system folders, applies attributes to remain concealed, and creates a mutex to prevent multiple instances from running.

A central feature of Vampire Bot is its continuous desktop surveillance. The malware captures screenshots at configurable intervals, compresses them into WEBP format, and exfiltrates them over encrypted channels. It also maintains a persistent C2 polling loop to receive instructions, which may include executing commands or downloading additional payloads. Task results are transmitted back to the operators, granting them complete remote control of the compromised system.

This evolution of BatShade's tactics reflects a shift from the group's earlier reliance on commodity malware toward more customized tools designed for stronger persistence and stealth. By embedding malicious code into familiar job-application workflows, the actors increase the likelihood of successful compromise while reducing the chances of detection. This shift underscores the urgent need for continuous vigilance in the cybersecurity field.

Lastly, Aryaka's threat research labs work closely with community partners to enhance detection capabilities with threat intelligence. We responsibly disclosed the research with Proofpoint Emergin Threats research team to update the rulesets. This collaborative effort, including the mention from Emerging Threats, highlights the strength of the cybersecurity community in addressing evolving cyber challenges.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Negligence is Warfare
The New Face of Social Engineering
Why the UK’s new Cyber Bill demands action, not compliance
Net-Defence values transferable skills to bridge cyber skills gap
Ayrshire College secures cyber upgrade to enhance student skills

Top stories

Riskified urges fraud vigilance as holiday eCommerce surges
FireMon deepens Zero Trust integration for hybrid security
meshIQ enhances platform with robust automation & observability
Thousands of ASUS routers hijacked in global spying campaign
SingularityNET launches open-source AI platforms to decentralise development