Vietnamese Threat Actor Expands Operations

New “BatShade” Campaign Takes Center Stage

Aryaka Threat Research Labs has uncovered a new campaign by the Vietnamese threat actor “BatShade,” targeting job seekers and digital marketing professionals through highly convincing social engineering tactics. Disguised as recruiter outreach, the campaign delivers “Vampire Bot,” a Go-based malware engineered for stealth, persistence, and continuous system surveillance. By embedding malicious payloads into familiar job-application workflows, BatShade exploits user trust to steal sensitive information, monitor activity, and maintain long-term access—all while blending seamlessly into legitimate network traffic.

Key insights include:

Targeted social engineering: Attackers pose as recruiters and distribute malicious job-related documents to compromise victims.
Stealthy infection chain: ZIP archives with disguised executables launch hidden PowerShell scripts that install malware while showing a decoy PDF.
Comprehensive system profiling: Vampire Bot gathers host data, hides in system folders, and uses mutexes to maintain persistence.
Continuous surveillance: The malware captures and exfiltrates screenshots over encrypted channels and polls C2 servers for new commands.
Stronger, more customized tools: BatShade is evolving from commodity malware to bespoke payloads designed for stealth, control, and long-term access.