Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials

Google's Threat Intelligence Group (GTIG) tracks UNC6229, a financially motivated group operating from Vietnam. This group uses fake job postings on various platforms, including legitimate sites, to target digital advertising and marketing professionals. The attackers employ social engineering, creating job opportunities to lure victims into interacting with malicious content. The goal is to deliver malware or phishing links to steal credentials and compromise high-value corporate accounts. Successful account takeover allows the threat actors to profit by selling ads or the accounts themselves. The initial contact often appears legitimate to build trust, abusing CRM platforms to bypass security measures. Victims are then tricked into opening malicious attachments or visiting phishing pages designed to steal their credentials. The phishing pages are often designed to target corporate email credentials and handling various multifactor authentication schemes. GTIG attributes this activity with high confidence to a group in Vietnam, highlighting their use of shared tools and techniques. The threat actors are expected to continue refining this approach, targeting other industries with valuable assets. GTIG shares its findings to improve Google's product security and users' safety, adding identified threats to Safe Browsing blocklists.