Vietnamese Actors Use Recruitment Lures for Espionage and Theft

Summary

A financially motivated threat group known as UNC6229, operating from Vietnam, has launched a sophisticated social engineering campaign targeting professionals in the digital advertising and marketing sectors. The group leverages fraudulent job postings across legitimate employment platforms and freelance marketplaces to deliver malware, harvest credentials, and gain unauthorized access to corporate advertising and social media accounts.

By exploiting the trust of job seekers, UNC6229’s campaigns enable threat actors to infiltrate enterprise networks, manipulate digital ad operations, and monetize compromised accounts through illicit trading, ad sales, and credential resale.

Attack Details

UNC6229’s operations follow a structured multi-phase approach:

1. Initial Lure via Job Postings
   Fake job listings are placed on legitimate platforms or attacker-controlled domains to attract victims.
2. Execution through Malware or Phishing
   Once a target downloads the malicious attachment or interacts with a phishing portal, attackers obtain credentials or deploy Remote Access Trojans (RATs) to seize control of devices.
3. Exploitation of Dual-use Accounts
   If victims use personal credentials on corporate devices—or vice versa—the attackers gain access to business systems such as ad accounts, CRMs, or marketing dashboards.
4. Monetization and Persistence
   Compromised assets are either sold, repurposed for fraudulent ad campaigns, or leveraged in subsequent phishing waves targeting wider corporate networks.
5. Attack Vectors and Communication Channels
   The group communicates through email, direct messaging, and CRM platforms, often sending password-protected ZIP files disguised as hiring tasks or skills assessments. Links are obfuscated or shortened to bypass security filters, frequently mimicking legitimate SaaS environments.

Recommendations

1. Restrict File Execution Privileges
   Enforce application allow-listing to block unauthorized executables, especially compressed or password-protected archives.
2. Monitor for Anomalous Access
   Implement continuous monitoring for unusual logins, configuration changes, or suspicious activity across advertising and social media accounts.
3. Implement DNS and URL Filtering
   Block access to malicious domains, shortened URLs, and known phishing infrastructures using threat intelligence-driven filters.
4. Separate Personal and Corporate Accounts
   Prevent employees from accessing personal social or email accounts from corporate devices to reduce exposure pathways.

Indicators of Compromise (IoCs)

Malicious Domain:

• staffvirtual[.]website

SHA256 Hashes:

• 137a6e6f09cb38905ff5c4ffe4b8967a45313d93bf19e03f8abe8238d589fb42
• 33fc67b0daaffd81493818df4d58112def65138143cec9bd385ef164bb4ac8ab
• 35721350cf3810dd25e12b7ae2be3b11a4e079380bbbb8ca24689fb609929255
• bc114aeaaa069e584da0a2b50c5ed6c36232a0058c9a4c2d7660e3c028359d81

• e1ea0b557c3bda5c1332009628f37299766ac5886dda9aaf6bc902145c41fd10

MITRE ATT&CK TTPs

Tactics:

• TA0001: Initial Access
• TA0002: Execution
• TA0003: Persistence
• TA0004: Privilege Escalation
• TA0005: Defense Evasion
• TA0006: Credential Access
• TA0007: Discovery
• TA0009: Collection
• TA0040: Impact
• TA0042: Resource Development
• TA0043: Reconnaissance

Techniques:

• T1566 / T1566.001 / T1566.002: Phishing (Attachment / Link)
• T1204 / T1204.002: User Execution (Malicious File)
• T1078: Valid Accounts
• T1219: Remote Access Software
• T1036: Masquerading
• T1608 / T1608.004: Stage Capabilities (Drive-by Target)
• T1098: Account Manipulation
• T1199: Trusted Relationship
• T1586 / T1586.001: Compromise Accounts (Social Media)
• T1657: Financial Theft
• T1531: Account Access Removal
• T1667: Email Bombing

• T1589 / T1589.001: Gather Victim Identity Information / Credentials

References

• Google Threat Intelligence: Vietnamese Actors Fake Job Posting Campaigns

• MITRE ATT&CK Framework