Vietnam-linked actors post fake job ads to deliver malware and hijack ad accounts

TL;DR

Google Threat Intelligence Group says a financially motivated cluster it tracks as UNC6229, assessed to operate from Vietnam, uses fake job listings on legitimate platforms to trick digital advertising and marketing workers into installing malware or entering credentials. The goal is to gain access to high-value corporate advertising and social media accounts to monetize or sell them.

What happened

Researchers at Google’s Threat Intelligence Group identified a persistent social-engineering campaign that relies on fraudulent job postings to lure applicants in the digital marketing and advertising fields. Actors behind the cluster UNC6229 create convincing employer profiles on legitimate job and freelance sites as well as on their own websites. Targets who apply are contacted with personalized follow-ups that build rapport; subsequent messages include password-protected attachments or links to staging pages that either install remote access malware or capture corporate login details via phishing kits. Compromises can occur when victims open a delivered payload on devices with access to corporate ad accounts or submit credentials while logged into corporate sessions. Google says affected sites, domains and files have been added to Safe Browsing blocklists, and it shared findings with abused CRM vendors to limit misuse of those services.

Why it matters

• Targets are employees with legitimate access to valuable corporate advertising and social media assets, making single compromises highly lucrative.
• The campaign uses applicant-initiated contact and abused trusted SaaS/CRM services to evade detectors and increase credibility.
• Phishing kits observed can harvest corporate credentials and handle multiple MFA schemes, raising the risk of account takeover.
• Blocking malicious infrastructure and sharing indicators can help defenders but the social-engineering approach is hard to fully automate away.

Key facts

• GTIG tracks this activity as UNC6229 and assesses it to be financially motivated and operating from Vietnam.
• Actors post fake remote job listings on legitimate employment platforms, freelance marketplaces, and actor-controlled websites.
• Initial contact is personalized and often benign to build trust before delivering a payload or link.
• Payloads include password-protected ZIP attachments carrying remote access trojans (RATs) and phishing pages for credential harvesting.
• Phishing kits analyzed can target corporate email credentials and accommodate MFA solutions including Okta and Microsoft.
• Threat actors have abused legitimate CRM and business tools to send campaign emails; Google shared findings with affected vendors.
• Google added identified websites, domains and files to its Safe Browsing blocklist to help protect users.
• An example infrastructure domain identified by GTIG is staffvirtual[.]website; multiple file hashes were published as indicators of compromise.

What to watch next

• Continued refinement and expansion of targeting to other industries where employees hold valuable corporate assets (confirmed in the source).
• Ongoing abuse of legitimate SaaS and CRM platforms to increase email deliverability and evade filters (confirmed in the source).
• Potential changes in tooling or new infrastructure used by UNC6229 beyond published indicators — not confirmed in the source.

Quick glossary

• Social engineering: Manipulating people into performing actions or divulging confidential information rather than exploiting technical vulnerabilities.
• Remote Access Trojan (RAT): Malicious software that grants an attacker remote control over an infected system, enabling data theft and account access.
• Phishing kit: A prebuilt set of web pages and back-end components used to mimic legitimate sites and collect user credentials.
• CRM (Customer Relationship Management): Software platforms used by organizations to manage communications with customers; can be abused to send bulk, trusted-looking messages.
• Multi-factor authentication (MFA): A security method that requires two or more proof points (factors) to verify a user's identity before granting access.

Reader FAQ

How do these attacks begin?
Victims apply to fake job postings; attackers then follow up with personalized messages that deliver malware or phishing links (confirmed in the source).

Which workers were primarily targeted?
Individuals in digital advertising and marketing, especially remote contractors or part-time roles (confirmed in the source).

Has Google taken any immediate action?
Google added identified websites, domains and files to its Safe Browsing blocklist and shared details with impacted CRM vendors (confirmed in the source).

Who is behind these campaigns?
GTIG attributes the cluster to UNC6229 and assesses with high confidence the actors operate from Vietnam (confirmed in the source).

Google Threat Intelligence Group (GTIG) is tracking a cluster of financially motivated threat actors operating from Vietnam that leverages fake job postings on legitimate platforms to target individuals in the…

Sources

• Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials
• Vietnamese Actors Use Recruitment Lures for Espionage …
• Vietnam-Based Cyber Groups Using Fake Job Postings …
• BatShadow Group Uses New Go-Based 'Vampire Bot …

Related posts

• Defending Privileged Accounts: Monitoring Strategies for Modern IT Environments
• Cybersecurity Forecast 2026: Preparing Organizations for Emerging Threats
• GTIG AI Threat Tracker: Threat Actors Deploy AI-Enabled Malware in 2025