BatShadow: Vietnamese Threat Actor Expands Its Digital Operations

Aryaka Threat Research Labs documents an active BatShadow campaign that targets job seekers and digital marketing professionals with ZIP-based lures (decoy PDFs plus malicious shortcuts/executables) that run hidden PowerShell to install a Go-based Vampire Bot. The malware performs host profiling, hides for persistence, captures periodic screenshots (compressed to WEBP), maintains an encrypted C2 loop for commands and payloads, and exfiltrates data; the research was responsibly shared with Proofpoint/ET to update detection rules.