BatShadow Threat Research Report © COPYRIGHT 2015-2025 ARYAKA NETWORKS, INC. ALL RIGHTS RESERVED. Aryaka Threat Research Lab Varadharajan K and Aditya K Sood BatShadow’s Latest Play Vietnamese Threat Group Uses Vampire Bot to Target Digital Professionals www.aryaka.com BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 2 Table of Contents 03 03 04 08 10 11 12 13 15 15 16 17 17 17 Executive Summary Initial Access Delivery & Execution Lure Documents Technical Details Host Profiling and Initial Beacon Real-Time Desktop Capture Command and Control Activities Attribution & Historical Campaigns Conclusion How Unified SASE Mitigates BatShadow’s Malware Campaigns Appendices Appendix A: Indicators of Compromise Appendix B: Mapping MITRE ATT&CK® Matrix Aryaka Threat Research Labs conducted a comprehensive analysis of a campaign orchestrated by the Vietnamese threat actor group BatShadow. This campaign, which targets job seekers and digital marketing professionals explicitly, is of significant concern. The threat actors employ sophisticated social engineering tactics to distribute malware files disguised as job descriptions or role-specific documents. These files are meticulously crafted to appear legitimate, enticing recipients to open and interact with them, thereby initiating the infection. Upon execution, the malware launches a Go-based bot designed to perform system surveillance and data exfiltration. The bot collects critical system information and immediately sends an AES-encrypted beacon to its command and control (C2) infrastructure to establish communication with the operators. Following the initial beacon, the bot engages in continuous desktop monitoring, capturing screenshots at intervals configured by the C2 server. These screenshots, stored as WEBP images, are transmitted over HTTPS, blending with regular network traffic to avoid detection. The malware also maintains a persistent C2 loop to receive encrypted instructions, which may include executing commands or downloading and running additional payloads. Importantly, the bot continuously reports task status to the server, enabling BatShadow to maintain comprehensive remote control over compromised systems. Executive Summary The initial infection vector for this campaign remains unknown. However, the attacks are known to leverage sophisticated social engineering tactics. Adversaries often pose as recruiters or employers to entice targets, who are typically job seekers and digital marketing professionals, into interacting with malicious attachments. These attachments usually take the form of ZIP files containing job descriptions or role-specific documents. In some instances, users may be redirected to phishing sites that prompt the download of malicious ZIP files. However, the exact delivery method of this campaign has not been confirmed. Initial Access BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 3 In this campaign, we identified a ZIP archive named “ATG_Technology_Group_Marketing_Job_Description.zip” that delivers the malicious content. The archive contains multiple lure PDF documents along with a malicious Windows shortcut (.LNK) file disguised as a PDF, named “ATG_Technology_Group_Marketing_Job_Description.pdf.lnk” as shown in Figure 1. Delivery & Execution When the user executes the malicious LNK file, it launches a hidden PowerShell command that downloads a lure PDF from the Bunny CDN URL “hxxps://555555cnd.b-cdn.net/Marriott_Marketing_Job_Description.pdf”. The file is saved as “C:\Users\Public\“Marriott.pdf” and is immediately opened to trick the victim into believing they have accessed a legitimate document, as shown in Figure 2. BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 4 Figure 1: Content of the ZIP files Figure 2: Lure Document After the lure PDF is opened, the PowerShell script downloads another ZIP file from the identical Bunny CDN (hxxps://555555cnd.b-cdn.net/002.zip), saves it as “C:\Users\Public\002.zip,” and extracts its contents. This ZIP archive contains files related to XtraViewer, a remote connectivity application. The PowerShell script then executes XtraViewer.exe, which displays the login interface, as shown in Figure 3. BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 5 Figure 3 - XtraViewer Login Page Threat Insight: Why attackers use software like XtraViewer? Attackers prefer to exploit legitimate remote-access tools, such as XtraViewer, to turn compromised endpoints into persistent, remotely controlled machines without deploying obvious malware. Given that XtraViewer is a trusted, signed application that offers full interactive sessions, we must exercise caution. This tool helps adversaries evade some AV heuristics and blend into regular administrative activity. Once installed (often via phishing or stolen credentials), it can be used for lateral movement, data exfiltration, or to hand off control to human operators. We cannot be sure how the malicious operators are using the software. Still, we suspect the threat actor may be using XtraViewer to establish remote connections to infected systems. Alternatively, the actor may be instructing job-seeking candidates to install and connect via this tool, enabling the adversary to perform further malicious actions at a later stage. As shown in Figure 1, the lure PDF instructs the users to view the job description directly through an embedded link, rather than requiring them to download it. When the user clicks the link “View PDF Documents Online,” they are redirected to “hxxps://jobs-marriott.com/view/pdf/job_application_marketing,” which displays a fake message claiming that “This page only supports downloads on Microsoft Edge,” as shown in Figure 4. BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 6 When the user clicks the OK button, Chrome simultaneously blocks the redirect. The page then displays another message instructing the user to copy the URL and open it in the Edge browser to download the file, as shown in Figure 5. Figure 4 - Unsupported Browser Page Figure 5- Unsupported Browser Page BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 7 This is a social engineering trick used by the attacker to convince the victim to open the document in Edge, likely because Chrome and other browsers block certain scripted pop-ups and redirects by default, whereas opening the link manually in Edge ensures the action is treated as user-initiated and allows the attacker’s payload delivery flow to continue. When the user clicks “Open the page in Edge to continue”, the URL opens in the Edge browser and displays another fake message stating that “The online PDF viewer is currently experiencing an issue. The file has been compressed and sent to your device.” This prompts the browser to download the malicious ZIP file as shown in Figure 6. The ZIP file “Marriott_Marketing_Job_Description.zip” contains multiple PDF documents along with an executable file named “Marriott_Marketing_Job_Description.pdf.exe”, where various spaces are added between .pdf and .exe to disguise the file as a legitimate PDF, as shown in Figure 7. Figure 6 - Malicious ZIP file Download Figure 7 - Content of the zip file BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 8 The lure documents observed in this campaign are mostly related to corporate communications, financial statements, quarterly reports, and job-related materials. These files are crafted to be relevant and engaging to the target audience, including job seekers and digital marketing professionals, encouraging them to open and interact with the content. When the user clicks on the malicious .exe file, the malware execution begins, initiating the malicious operations. Lure Documents Figure 8 - Lure Document BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 9 Figure 9 - Lure DocumentFigure 9 - Lure Document BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 10 The “Marriott_Marketing_Job_Description.pdf.exe” file is a Go-compiled binary that functions as a bot, collecting detailed host profiling information, continuously capturing and exfiltrating screenshots, and maintaining a C2 polling loop to receive tasks such as command execution and downloading additional payloads. The binary contains numerous functions with names prefixed by batman, as shown in Figure 10. For tracking purposes, we refer to this threat group as “BatShadow” and its associated malware as “Vampire bot”. Once executed, the Vampire copies itself into the directory "C:\Users\\AppData\Local\Packages\edge", applies the “attrib.exe +s +h” command to set the file as both system and hidden, and then re-executes itself from the new location to ensure stealth. It then creates a mutex named “edge” to ensure that only one instance of malware is running at a time. Technical Details Attackers are increasingly creating malicious Go-compiled binaries because Go (Golang) offers portability, stealth, and flexibility that make their campaigns harder to detect and disrupt. A single Go binary can be cross-compiled to run on Windows, Linux, and macOS with minimal changes, allowing adversaries to scale their operations across diverse environments. Go executables are often larger and less familiar to traditional antivirus and endpoint tools, which can delay detection and signature creation. However, the efficiency of Go for building malware with embedded C2 communications, file handling, and payload delivery is a cause for urgent concern. From a threat actor’s perspective, this means faster development cycles, a wider reach, and better evasion, making Go an increasingly attractive language for modern malware families. Threat Insight: Why do attackers prefer Go-compiled binaries for malicious operations? Figure 10 - Vampire Bot Functions After creating a Mutex, the Vampire generates an initialization beacon that is sent to the attacker’s command-and-control (C2) server. This beacon is formatted as a JSON object. It contains detailed host profiling information such as username, operating system, hardware ID (HWID), CPU and GPU details, system architecture, external and local IP addresses, country, and privilege level. It also enumerates installed security products and records a ping value representing host network responsiveness. Finally, the payload includes a version field (i.e., “1.0.0”), which the malware uses to track its build or release variant during infections, as shown in Figure 11. By collecting this system fingerprint, the Vampire Bot enables operators to uniquely track each infected machine, evaluate its potential value, and tailor follow-on actions such as deploying additional payloads or avoiding analysis environments. After collecting the victim’s details, the Bot encrypts the stolen data using AES in CBC mode. To derive the encryption key, it retrieves a hardcoded UUID from the binary, prepends the string “pkk_”, and calculates the SHA-256 hash of this value. The resulting digest becomes the AES key. For each encryption operation, the malware generates a random initialization vector (IV) and then performs AES-CBC encryption over the stolen data. The output is then assembled into a JSON object under the "payload" field, where the IV and the encrypted content are concatenated as two hex-encoded strings, separated by a colon. The first component represents the IV, while the second contains the AES-encrypted ciphertext. Host Profiling and Initial Beacon BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 11 Figure 11 – Initial Beacon BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 12 The Bot captures the victim’s desktop using the open-source kbinani Go library, taking periodic snapshots of the current environment. Each screenshot is stored in memory as a WEBP image, a lightweight format that reduces file size. The Bot transmits the AES-encrypted stolen data over TLS-secured communication, ensuring that the exfiltrated content remains hidden within encrypted HTTPS traffic, as shown in Figure 13. This payload is transmitted to an endpoint at “api3.samsungcareers.work/api/hdrp”, allowing the attacker to securely exfiltrate victim data, as shown in Figure 12 below. For authentication, the malware includes an X-Api-Key header, which is set to the same hardcoded UUID used for AES key derivation. The Vampire Bot continuously captures the victim’s desktop in a loop. Before each capture cycle, it contacts the C2 at “hxxps://api3.samsungcareers.work/api/ping/” to retrieve configuration—such as captureInterval, captureQuality, and a viewedAt flag—and applies those settings to the local capture component as shown in Figure 14. If the threat actor is interested, they can modify these parameters to increase the frequency or quality of the capture tasks. Real-Time Desktop Capture Figure 14 -Configuration Details Figure 12 – AES Encrypted Payload Figure 13 - Exfiltration https://github.com/kbinani/screenshot BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 13 After this, the Vampire Bot continuously runs a Command & Control (C2) loop, sending requests to the endpoint “hxxps://api3.samsungcareers.work/api/task/”. The server responds with encrypted data in the format IV: CipherText. The malware then uses AES in CBC mode to decrypt this response, extracting the commands it needs to execute. In our test, although we received a response from the server, the decrypted content did not contain any meaningful commands to execute, indicating that the C2 server may not have had active tasks assigned at that time, or the response could be dummy/placeholder data as shown in Figure 16. Command and Control Activities Figure 15 – Stolen Images Staged for Exfiltration However, the malware contains code to perform several actions. If the task involves command execution, it constructs and runs the supplied command in a hidden process, capturing its output. Figure 16 - C&C Response The content is transmitted over HTTP using “multipart/form-data,” with standard headers and boundaries as shown in Figure 15. File names are generated dynamically, following the pattern “screenshot_.webp”. The malware then sends this information to the endpoint at “hxxps://api3.samsungcareers.work/api/image/”, where the UUID is unique for each victim. Figure 18 - Download from URL and Execute BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 14 If the task is a download-and-execute operation, it retrieves a file from a specified URL and executes it. Unknown or unsupported task types are logged as warnings. During execution, the malware continuously updates the task state back to the server, indicating whether it is running, has failed, or has completed. After completing or failing a task, it reports the results to the C2 server and resumes polling for the next instruction, maintaining persistent remote control. Figure 17 - Command Execution Figure 18 - Download from URL and Execute The C&C server samsungcareers.work resolves to IP address 103.124.95.161, which has previously been associated with Vietnamese threat actors. Vietnamese threat actors have a documented history of focusing on digital marketing individuals, suggesting a consistent targeting pattern in this campaign as well. We assess this attribution with medium confidence and will look forward to more indicators in the near future. This group has also been observed using similar domains, such as samsung-work.com, to distribute malware families including AgentTesla, LummaC2, and VenomRAT. The campaign was reported by the researcher “Hunter For Fun” in November 2024, who noted its distribution via Facebook. Around the same period, security researcher “Emmy Byrne” identified a related campaign specifically targeting digital marketing professionals. Additionally, Filescan.io reported a separate campaign involving malicious scripts containing the string “batman.” We have also observed that the threat actors distributed the malicious site through LinkedIn posts related to digital marketing, leveraging fake profiles, as shown in Figure 19. Attribution & Historical Campaigns BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 15 The BatShadow threat group continues to employ sophisticated social engineering tactics to target job seekers and digital marketing professionals. By leveraging disguised documents and a multi-stage infection chain, the group delivers a Go-based Vampire bot capable of system surveillance, data exfiltration, and remote task execution. The malware’s design, including persistent C2 communication, encrypted data transmission, and screenshot capture, demonstrates a high level of operational sophistication. Historical associations with Vietnamese threat actors and the use of commodity malware families, such as Agent Tesla, Lumma C2, and VenomRAT, highlight the group’s consistent targeting pattern and reliance on proven attack methods. Conclusion https://x.com/filescan_itsec/status/1858873841583309195 https://x.com/byrne_emmy12099/status/1861454443260321945 https://x.com/Thisism23567356/status/1861367550774292804 https://cyble.com/blog/vietnamese-threat-actors-multi-layered-strategy-on-digital-marketing-professionals/ https://www.virustotal.com/gui/ip-address/103.124.95.161/community Aryaka’s Unified SASE defends by aligning security controls with the malware’s behavior. DNS filtering blocks access to known malicious domains and C2 servers, stopping payload downloads at the source. Secure Web Gateways inspect outbound traffic, preventing the exfiltration of system data and screenshots. Next-generation firewalls enforce application-level restrictions to block unauthorized use of remote access tools, while IDS/IPS monitors for abnormal beaconing and network anomalies. Antivirus protection scans and blocks disguised or malicious files, ensuring the malware cannot execute successfully. Together, these coordinated layers disrupt BatShadow’s operations, halt data theft, and prevent the malware from surveilling or manipulating targeted systems—providing an always-on barrier that doesn’t rely solely on reactive detection. Proofpoint has released new signatures to detect activity related to the BatShadow campaign, enabling early identification and response to this threat actor’s tactics. VampireBot CnC Exfil (POST) VampireBot CnC Instruction Request (GET) VampireBot CnC Config Inbound VampireBot CnC ScreenCapture Exfil (POST) VampireBot CnC Task Request (GET) Observed DNS Query to BatShadow Related Domain (api3 .samsungcareers.work) Observed DNS Query to BatShadow Related Domain (jobs-marriott[.]com) Observed DNS Query to BatShadow Related Domain (samsung-work[.]com) Observed BatShadow Related Domain (api3 .samsungcareers[.]work in TLS SNI) Observed BatShadow Related Domain (jobs-marriott[.]com in TLS SNI Observed BatShadow Related Domain (samsung-work[.]com in TLS SNI) How Unified SASE Mitigates BatShadow’s Malware Campaigns BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 16 https://x.com/ET_Labs/status/1968048449334747408 BatShadow’s Latest Play: Vietnamese Threat Group Uses Vampire Bot to Hunt Digital Professionals - Report 17 Appendices Appendix A: Indicators of Compromise Appendix B: Mapping MITRE ATT&CK® Matrix 85eb8082325ee433b743c68fa64399bff52b7c2027fd123874b6b46909005638 ATG_Technology_ Group_Marketing_ Job_Description.zip ATG_Technology_ Group_Marketing_Job_ Description.pdf.lnk 2fab07b446d1d82706355a6f6556cbc6a334799f41750f839a730c02f5bb7c9a Vampire Bot api3.samsungcareers.work C&C Server jobs-marriott.com Malicious Domain 2dc19a2c49c9fb544cd3bc166129f855d6e5614f17d258d7fbbe8bae79298664 Vampire Bot 1ba2bea01cbe189aad821ad9e7f49927ee123fd3771620184f2629979a976d30 2025-08-30-165596_123.lnk samsung-work.com Malicious Domain 5263b3d57c0733ab9c78a1bdda7de9636ee2a30dce014c72809f18cb321a1390 Advertising_Plan_Of_ Cirrus_2025.zip Tactic Technique Technique Name Initial Access Initial Access Execution Execution Execution Defense Evasion Defense Evasion Defense Evasion Discovery Discovery Collection Command and Control Command and Control Command and Control Exfiltration Impact T1566.001 T1566.003 T1204.002 T1059.001 T1059.003 T1036.005 T1564.001 T1218 T1082 T1518.001 T1113 T1071.001 T1105 T1219 T1041 T1486 Phishing: Spearphishing Attachment Phishing: Spearphishing via Service User Execution: Malicious File Command and Scripting Interpreter: PowerShell Command and Scripting Interpreter: WindowsCommand Shell Masquerading: Match Legitimate Name or Location Hide Artifacts: Hidden Files and Directories Signed Binary Proxy Execution System Information Discovery Security Software Discovery Screen Capture Application Layer Protocol: Web Protocols Ingress Tool Transfer Remote Access Tools Exfiltration Over C2 Channel. Data Encrypted for Impact Sha256 Description 0385569c990dd8c9b976c9fc5963e1b36d44461d1ec25bf01b4030b993f10af9 © COPYRIGHT 2015-2025 ARYAKA NETWORKS, INC. ALL RIGHTS RESERVED. LEARN MORE | info@aryaka.com | +1.888.692.7925 About Aryaka Networks Aryaka is the leader in delivering Unified SASE as a Service, a fully integrated solution combining networking, security, and observability. Built for the demands of Generative AI as well as today’s multi-cloud hybrid world, Aryaka enables enterprises to transform their secure networking to deliver uncompromised performance, agility, simplicity, and security. Aryaka’s flexible delivery options empower businesses to choose their preferred approach for implementation and management. Hundreds of global enterprises, including several in the Fortune 100, depend on Aryaka for their secure networking solutions. For more on Aryaka, please visit www.aryaka.com Schedule a Free Network Consultation with an Aryaka Expert Experience Aryaka's Unified SASE as a Service See How It Works Live View Interactive Tour https://www.youtube.com/channel/UCCS7qeW2Y_TY2uQLs9yhe9g https://www.linkedin.com/company/aryaka-networks www.aryaka.com www.aryaka.com/start-now www.aryaka.com https://www.aryaka.com/book-a-demo/?utm_source=website&utm_medium=report&utm_campaign=batshadow+latest+play https://www.aryaka.com/take-the-interactive-tour?utm_source=website&utm_medium=report&utm_campaign=batshadow+latest+play www.aryaka.com