Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials

• Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials Visibility and context on the threats that matter most. • Google Threat Intelligence Group (GTIG) is tracking a cluster of financially motivated threat actors operating from Vietnam that leverages fake job postings on legitimate platforms to target individuals in the digital advertising and marketing sectors. • The actor effectively uses social engineering to deliver malware and phishing kits, ultimately aiming to compromise high-value corporate accounts, in order to hijack digital advertising accounts. • GTIG tracks parts of this activity as UNC6229. • The activity targets remote digital advertising workers who have contract or part-time positions and may actively look for work while they currently have a job. • The attack starts when a target downloads and executes malware or enters credentials into a phishing site.

Article Summaries:

• Google Threat Intelligence Group (GTIG) has identified a financially motivated threat cluster, UNC6229, operating from Vietnam that uses fake job postings on legitimate employment and freelance platforms to target digital advertising and marketing professionals. The actors employ social engineering to lure applicants into downloading malware or entering credentials on phishing sites, aiming to compromise corporate advertising and social‑media accounts. Successful breaches allow the threat actors to sell or hijack these accounts for profit. GTIG has added the associated domains and files to Safe Browsing blocklists and is sharing findings to improve industry threat‑hunting and user protection.

Sources:

• https://cloud.google.com/blog/topics/threat-intelligence/vietnamese-actors-fake-job-posting-campaigns/