"The attack chains, per the cybersecurity company, leverage ZIP archives containing decoy PDF documents along with malicious shortcut (LNK) or executable files that are masked as PDF to trick users into opening them. When launched, the LNK file runs an embedded PowerShell script that reaches out to an external server to download a lure document, a PDF for a marketing job at Marriott."
"Victims who end up clicking on a link in the lure PDF to supposedly "preview" the job description are directed to another landing page that serves a fake error message stating the browser is unsupported and that "the page only supports downloads on Microsoft Edge." "When the user clicks the OK button, Chrome simultaneously blocks the redirect," Aryaka said. "The page then displays another message instructing the user to copy the URL and open it in the Edge browser to download the file.""
BatShadow targets job seekers and digital marketing professionals with recruiter-themed lures to deliver Vampire Bot, a previously undocumented Go-based malware. Attack chains use ZIP archives containing decoy PDFs and malicious LNK or executable files masked as PDFs. The LNK executes an embedded PowerShell script that downloads a lure PDF and a ZIP with XtraViewer files to likely establish persistent remote access. Lure PDFs contain links that direct victims to landing pages showing fake unsupported-browser errors and prompting manual copying of URLs into Microsoft Edge to bypass browser redirect blocks. Clicking these prompts results in downloading and executing additional components to compromise hosts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]