Are Vampire Bots Stalking Job Seekers In Your Midst?

May 28, 2026

Cybercriminals can pose as recruiters and contact victims through professional networking platforms and job boards, sending spear-phishing emails or direct messages that contain ZIP archives or files disguised as job descriptions and onboarding documents. They sometimes use names such as "Marriott_Marketing_Job_Description.pdf.exe."

When opened, these lures trigger a multi-stage infection chain in which a malicious executable or Windows shortcut file runs PowerShell or other tools to install Vampire Bot while displaying a decoy PDF. This makes the victim believe they are viewing a legitimate job document.

Vampire Bot is written in Go, giving it cross-platform capabilities and making static analysis and detection more difficult for some security tools. Once installed, it profiles the infected system, steals credentials and files, extracts browser and session data, captures screenshots at intervals, and communicates with command-and-control servers over encrypted channels. This enables it to receive further commands or download additional malware.

BatShadow has previously used other stealer and remote-access families such as Agent Tesla, Venom RAT, and Quasar RAT. In this campaign, however, BatShadow has shifted to the custom-built Vampire Bot to improve persistence and data-theft capabilities, reportedly using the stolen information to hijack social media business accounts and other online assets for financial gain.

Cybersecurity agencies and vendors advise job seekers and organizations to treat unsolicited job offers and attached "job description" files with caution, verify recruiters independently, avoid running executables from ZIP archives. Make sure endpoint and email security tools are configured to detect shortcut- and script-based malware chains.

Source: https://www.darkreading.com/cyberattacks-data-breaches/vampire-bot-malware-job-hunters

Commentary

Malware targeting HR is well-documented. The lesser-known risk is cybercriminals targeting employees and participants searching for a new job on organization systems and equipment using social media platforms.

The above source illustrates how hard it is to defend against the Vampire Bot when employees conduct their job search on corporate systems. Preventing this threat starts with acknowledging that job hunting on company time and equipment is common, and that it creates a direct path from external social platforms into the enterprise.

IT and security teams should define and enforce clear policy on Internet use including whether employees may use corporate email addresses, devices, or browsers to apply for work, upload résumés, or open job-related attachments.

At a minimum, have a corporate policy against job seeking behavior on organization time - time for which you are paying the participant to work on behalf of the organization. Require organization devices not be used for personal use.

Security awareness campaigns should explicitly address recruiter-themed phishing and "too good to be true" offers. Remind staff that any unsolicited job offer, especially one with attached files or links, must be treated as suspicious, even if it appears to come through a professional networking platform.

Finally, incident response plans should anticipate the discovery of job-search malware on organization endpoints. Have a playbook for credential resets, containment of compromised accounts, and HR coordination.

Finally, your opinion is important to us. Please complete the opinion survey: