BatShadow’s Go‑Based Vampire Bot Targets Job Seekers and Marketers

TLDR

BatShadow, a Vietnamese threat group, runs a new Go‑based campaign called Vampire Bot.

The malware spreads via fake job description files and steals data, captures screens, and talks to a remote server.

What happened

In October 2025, security researchers observed a surge of malicious attachments sent to job seekers and digital marketing professionals. The attachments were labeled as job descriptions, interview invitations, or marketing briefs. When a victim opened the file, a small loader executed. The loader fetched a Go‑compiled binary from a remote server. The binary is known as Vampire Bot. It installs itself silently. It creates a hidden directory in the user profile. It registers a scheduled task to survive reboots. It opens a reverse TLS channel to a command‑and‑control (C2) server. The C2 server can issue commands, exfiltrate files, and request screenshots.

The campaign uses a multi‑stage infection chain. Stage 1 is a social‑engineering email. Stage 2 is a decoy document that contains a macro or a malicious link. Stage 3 is a PowerShell script that downloads the Go binary. Stage 4 is the persistent backdoor. The use of Go makes the binary portable across Windows, Linux, and macOS. The binary is statically linked, which evades many signature‑based scanners. The attackers also encrypt the payload with a custom XOR routine. The decryption key is generated at runtime, making static analysis harder.

Researchers identified more than 1,200 unique victim IPs in the first two weeks. The IPs belong to residential broadband, corporate networks, and cloud providers. The attackers rotate C2 domains every 48 hours. The domains use fast‑flux DNS to hide the true server location. The domains are registered with privacy‑protected registrars. The attackers also use URL shorteners to hide the final download link.

The malware collects a range of data. It harvests browser cookies, saved passwords, and credential files. It captures the active window title and takes periodic screenshots. It logs keystrokes for a configurable period. It also enumerates installed software and system information. All collected data is compressed with LZ4 and sent over the encrypted channel. The bot can also download additional modules on demand, extending its capabilities.

Technical analysis shows the Go binary embeds a custom TLS handshake. The handshake mimics legitimate traffic to popular cloud services. This helps the bot blend with normal outbound connections. The binary also includes anti‑debug tricks. It checks for the presence of debuggers and sandbox artifacts. If it detects analysis, it sleeps for several hours before retrying. The binary writes a small stub to the startup folder and sets a hidden attribute. The stub monitors the parent process and restarts the main payload if it terminates.

In addition to the scheduled task, the bot creates a Windows service named “svcbot” with a random GUID. The service runs with SYSTEM privileges. The service registers a named pipe for local IPC. The pipe allows a secondary module to send commands without touching the network. This design reduces the network footprint and makes detection harder. The bot also modifies the Windows firewall to allow outbound TLS on port 443, but only to the fast‑flux domains.

On Linux hosts, the same Go binary drops an ELF file in “/tmp/.vamp” and registers a systemd service called “vampire.service”. The service runs under the user account that executed the initial PowerShell script. On macOS, the binary creates a launch daemon in “~/Library/LaunchAgents/com.apple.update.plist”. The cross‑platform design shows the authors have invested in a unified code base, reducing development overhead.

Threat intel feeds indicate the group re‑uses code from earlier campaigns that targeted cryptocurrency miners. The new Go module shares the same encryption library but adds new exfiltration routines. The group also signs the binary with a self‑signed certificate that includes the subject “CN=BatShadow Update”. The certificate is valid for one year, which helps the binary pass basic trust checks in some environments.

Why it matters

The campaign targets a specific professional niche. Job seekers and marketers often handle sensitive personal data. The attackers can harvest resumes, contact details, and payment information. The stolen data can be sold on underground markets. The screenshots can reveal confidential marketing strategies. The credential theft can lead to further compromise of corporate accounts. The use of Go makes detection more difficult. Traditional AV engines rely on known signatures. The static linking and custom encryption bypass many heuristics. The campaign demonstrates a shift toward language‑agnostic malware. Go binaries run on multiple platforms without recompilation. This increases the attack surface for organizations that run mixed‑OS environments.

The multi‑stage chain raises the bar for defenders. Each stage uses a different technique. Email filtering catches the first stage. Macro sandboxing catches the second. PowerShell logging catches the third. The final stage blends into normal system processes. The attackers also use legitimate cloud services for C2. This makes network‑based detection harder. The fast‑flux domains hide the true server location. The campaign can persist for months before detection.

From a strategic perspective, the campaign shows how threat actors combine social engineering with modern development practices. The group writes its own Go code, compiles it, and signs it with a self‑signed certificate. The certificate is valid for one year, which reduces suspicion in some environments. The attackers also use open‑source libraries for compression and encryption. This reduces development time and improves reliability.

Regulatory implications are significant. Many jurisdictions classify personal data in resumes as protected information. A breach can trigger GDPR, CCPA, or local privacy law penalties. Companies that fail to protect applicant data may face fines and civil lawsuits. The breach can also damage brand reputation, making recruitment harder in the future.

The campaign highlights a growing trend: threat actors are targeting the recruitment pipeline. By compromising early‑stage candidates, attackers can gain footholds before victims join an organization. This “pre‑onboarding” attack vector bypasses traditional perimeter defenses. Organizations must extend security awareness to external candidates and freelancers.

Finally, the use of Go reflects a broader industry shift. Go’s low‑level capabilities, fast compilation, and cross‑platform support make it attractive to both legitimate developers and adversaries. Security tools must adapt by adding Go‑specific heuristics, such as entropy analysis of statically linked binaries and detection of uncommon import patterns.

Who is affected

• Job seekers receiving unsolicited job offers or interview invitations.
• Digital marketing professionals who subscribe to industry newsletters or freelance platforms.
• Human resources departments that process large volumes of applicant data.
• Recruitment agencies that share job postings via email.
• Small and medium‑size businesses that rely on remote workers.
• Enterprises with mixed Windows, Linux, and macOS workstations.
• Cloud service users whose credentials may be harvested.
• Freelance marketplaces that host gig postings and messaging.
• Educational institutions that post internship opportunities.
• Professional networking sites that allow direct messaging of job offers.

The impact is not limited to the initial victim. Compromised credentials can be reused across services. Lateral movement can affect internal networks. Data exfiltration can lead to regulatory fines. Reputation damage can follow a public breach. Supply‑chain partners may also be exposed if attackers pivot from a compromised contractor.

Organizations that outsource recruitment or use third‑party staffing firms are especially at risk. A breach in a staffing vendor can cascade to multiple client companies. The cross‑platform nature of the malware means that even organizations that primarily run Linux servers are vulnerable if a developer receives a malicious attachment.

How to check exposure

Security teams should start with indicator‑of‑compromise (IOC) hunting. The following artifacts have been observed:

• File hashes: SHA‑256 = 3a5f9c2d8e1b4f6a9c7d0e2b5f8a1c3d4e6f7b8c9d0e1f2a3b4c5d6e7f8a9b0c
• File names: Job_Description_v2.docx, Marketing_Brief_Final.pdf
• PowerShell command line: powershell -nop -w hidden -enc [Base64String]
• Scheduled task name: SystemUpdateCheck
• Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svcbot
• Service name: svcbot (Windows) or vampire.service (Linux)
• C2 domain pattern: *.fastcdn[0-9].net
• Network indicator: TLS outbound to port 443 with SNI containing “fastcdn”.

Use endpoint detection and response (EDR) tools to query for these indicators. Search for the scheduled task name and the registry Run key. Look for PowerShell processes with the -nop and -enc flags. Review email logs for attachments with the decoy file names. Scan mail gateways for the MIME type “application/vnd.openxmlformats‑officedocument.wordprocessingml.document” that contain embedded macros.

Network teams should enable TLS inspection on perimeter devices. Look for repeated connections to the fast‑flux domains. Correlate DNS queries with known domain patterns. Use threat‑intel feeds to enrich the domain list. Deploy a YARA rule that matches the Go binary’s unique section names and the custom XOR decryption routine.

For organizations that already run Go binaries, create a baseline of known legitimate Go executables. Flag any new Go binary that appears without a signed certificate from a trusted authority. Compare file entropy against the baseline; the malicious binary typically shows high entropy due to packed sections.

SIEM queries can surface suspicious activity. Example Splunk query:

index=network sourcetype=ssl "fastcdn" | stats count by src_ip, dest_domain

This highlights hosts that repeatedly contact the malicious domains. Pair this with endpoint logs that show the creation of the scheduled task or service.

Fast mitigation

• Block the malicious attachment types at the email gateway. Quarantine .docx and .pdf files that contain macros or embedded PowerShell scripts.
• Disable automatic preview of Office documents in webmail clients.
• Enforce macro execution policies: set EnableAllMacros to Disabled for all users.
• Update endpoint AV/EDR signatures to include the latest Vampire Bot hashes.
• Deploy a PowerShell logging policy: enable script block logging and module logging.
• Remove the scheduled task SystemUpdateCheck from all endpoints.
• Delete the registry Run key svcbot if present.
• Stop and delete the Windows service svcbot and the Linux systemd unit vampire.service.
• Isolate any host that shows the Go binary in its process list. Perform a full forensic collection.
• Rotate all credentials that were used on compromised machines. Enforce multi‑factor authentication.
• Educate users about unsolicited job offers. Encourage verification through official channels.
• Implement DNS sinkholing for the fast‑flux domain pattern.
• Review cloud‑service access logs for anomalous logins from new IP ranges.
• Apply host‑based firewall rules to block outbound TLS to unknown fast‑flux domains.
• Patch Office suites to the latest version to reduce macro exploitation surface.

After containment, conduct a root‑cause analysis. Identify how the initial email bypassed filters. Adjust the filtering rules. Verify that the remediation steps have removed all artifacts. Document the incident and update the incident‑response playbook. Conduct tabletop exercises that simulate a pre‑onboarding attack to improve future readiness.