Cybercriminals have adopted an advanced social engineering approach that takes advantage of the trust job seekers place in employment platforms, as highlighted in a new Google security advisory.
Targeting Through Deceptive Recruitment Websites
A financially driven threat group based in Vietnam, identified as UNC6229, has been targeting professionals in the digital advertising and marketing sectors. The attackers post fake job listings on legitimate job boards and create custom recruitment sites to deceive job seekers.
These fraudulent campaigns use remote access trojans (RATs) and phishing kits designed to steal credentials, posing a growing risk to corporate social media and advertising accounts across multiple industries.
Building Trust Through Fabricated Company Profiles
The attackers establish fake company identities that appear to be digital media agencies. When victims submit resumes and contact details for these jobs, they unknowingly hand over personal information to malicious actors.
Since the initial contact is initiated by the applicant, the follow-up messages seem legitimate, making the phishing operation highly convincing. Victims believe they are communicating with a genuine employer about a job opportunity they applied for.
Long-Term Data Exploitation
The collected information is not only used for immediate attacks but may also be stored and reused for future scams. Threat actors can conduct cold email campaigns, promote new fake job offers, or sell curated databases of active job seekers to other cybercriminals.
This creates a persistent threat environment where a single job application can expose victims to multiple long-term attacks.
High-Value Targets and Monetization
UNC6229 primarily focuses on individuals who manage or have access to corporate advertising and social media accounts. Such access allows attackers to either sell compromised accounts or use them to run unauthorized ads for profit.
Malware Delivery and Technical Operations
Once contact is made, the attackers deploy two main delivery techniques:
- Malicious ZIP Attachments:
Victims receive password-protected ZIP files disguised as skills assessments, application forms, or test assignments. These files contain remote access trojans, giving attackers full control of the infected device and enabling account takeovers. - Phishing Links via URL Shorteners:
Victims are also lured through obfuscated phishing URLs that redirect them to fake interview scheduling pages or assessment portals.
The phishing infrastructure is technically advanced, with phishing kits built to target corporate email credentials and bypass multi-factor authentication (MFA) systems, including Okta and Microsoft authentication.
Abuse of Trusted Platforms
Google researchers found that the group exploits legitimate CRM services like Salesforce to send initial phishing emails and manage their campaigns. By leveraging trusted communication channels, they bypass traditional email security filters and make malicious messages appear authentic and professional.
