{
	"id": "50f7647b-756c-4e47-a966-ddf36c0a6444",
	"created_at": "2026-04-06T00:09:02.148083Z",
	"updated_at": "2026-04-10T13:12:48.589481Z",
	"deleted_at": null,
	"sha1_hash": "b3428b32858b69c2844053ef92c44bc35566d14c",
	"title": "BatShade: Vietnamese Threat Actor Evolves With Vampire Bot And Social Engineering Malware | Aryaka Threat Research Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 881378,
	"plain_text": "BatShade: Vietnamese Threat Actor Evolves With Vampire Bot\r\nAnd Social Engineering Malware | Aryaka Threat Research Blog\r\nBy Aditya K Sood\r\nPublished: 2025-10-07 · Archived: 2026-04-05 16:32:11 UTC\r\nGet the new Batshadow Threat Report or Explore Interactive Report\r\nAryaka Threat Research Labs has identified a new campaign by the Vietnamese threat actor BatShadow, which\r\ncontinues to rely on social engineering to compromise job seekers and digital marketing professionals. The\r\nattackers pose as recruiters, distributing malicious files disguised as job descriptions and corporate documents.\r\nWhen opened, these lures trigger the infection chain of a Go-based malware we refer to as Vampire Bot.\r\nThis campaign demonstrates how threat actors exploit trust in professional workflows to achieve persistence,\r\nconduct system surveillance, and exfiltrate sensitive information, all while blending their activity into normal-looking traffic.\r\nThe infection typically begins with ZIP archives containing lure PDFs alongside malicious shortcut or executable\r\nfiles, which are masked with misleading extensions. In this case, the malicious files execute hidden PowerShell\r\ncommands that display a decoy PDF to the victim while silently downloading and installing the malware in the\r\nbackground. The attackers also employ browser-based tricks, instructing victims to switch to specific browsers to\r\nbypass built-in protections and ensure the successful delivery of the payload.\r\nOnce executed, Vampire Bot performs detailed host profiling, collecting usernames, hardware identifiers,\r\noperating system details, privilege levels, and information on installed security products. This data is encrypted\r\nbefore being transmitted to the attacker’s infrastructure. To maintain persistence, the malware hides itself in\r\nsystem folders, applies attributes to remain concealed, and creates a mutex to prevent multiple instances from\r\nrunning.\r\nA central feature of Vampire Bot is its continuous desktop surveillance. The malware captures screenshots at\r\nconfigurable intervals, compresses them into WEBP format, and exfiltrates them over encrypted channels. It also\r\nhttps://www.aryaka.com/blog/batshade-vampire-bot-social-engineering-malware/\r\nPage 1 of 3\n\nmaintains a persistent C2 polling loop to receive instructions, which may include executing commands or\r\ndownloading additional payloads. Task results are transmitted back to the operators, granting them complete\r\nremote control of the compromised system.\r\nThis evolution of BatShadow’s tactics reflects a shift from the group’s earlier reliance on commodity malware\r\ntoward more customized tools designed for stronger persistence and stealth. By embedding malicious code into\r\nfamiliar job-application workflows, the actors increase the likelihood of successful compromise while reducing\r\nthe chances of detection. This shift underscores the urgent need for continuous vigilance in the cybersecurity field.\r\nLastly, Aryaka threat research labs work closely with community partners to ensure detection capabilities are\r\nenhanced with threat intelligence. We responsibly disclosed the research with Proofpoint Emerging Threats\r\nresearch team to update the rulesets. This collaborative effort, including the mention from Emerging Threats,\r\nhighlights the strength of the cybersecurity community in addressing evolving cyber challenges.\r\nhttps://www.aryaka.com/blog/batshade-vampire-bot-social-engineering-malware/\r\nPage 2 of 3\n\nRead the report here or Explore Interactive Report\r\nSource: https://www.aryaka.com/blog/batshade-vampire-bot-social-engineering-malware/\r\nhttps://www.aryaka.com/blog/batshade-vampire-bot-social-engineering-malware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.aryaka.com/blog/batshade-vampire-bot-social-engineering-malware/"
	],
	"report_names": [
		"batshade-vampire-bot-social-engineering-malware"
	],
	"threat_actors": [
		{
			"id": "8b9a64e8-5544-4422-96e0-b5cc1f2e54ec",
			"created_at": "2026-01-23T02:00:03.291346Z",
			"updated_at": "2026-04-10T02:00:03.931038Z",
			"deleted_at": null,
			"main_name": "BatShadow",
			"aliases": [],
			"source_name": "MISPGALAXY:BatShadow",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434142,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3428b32858b69c2844053ef92c44bc35566d14c.pdf",
		"text": "https://archive.orkl.eu/b3428b32858b69c2844053ef92c44bc35566d14c.txt",
		"img": "https://archive.orkl.eu/b3428b32858b69c2844053ef92c44bc35566d14c.jpg"
	}
}