Google’s Threat Intelligence Group (GTIG) has uncovered a sophisticated social engineering campaign orchestrated by financially motivated threat actors based in Vietnam.
The ultimate objective is to compromise corporate advertising accounts and steal valuable credentials for resale or direct monetization.
The threat cluster specifically targets remote workers in digital advertising roles, focusing on individuals with contract or part-time positions actively seeking employment.
By compromising these workers’ devices or stealing their credentials, UNC6229 gains unauthorized access to high-value corporate advertising and social media accounts.
The campaign, addressed as UNC6229, exploits job seekers’ trust by posting fake career opportunities on legitimate employment platforms to deliver malware and phishing kits targeting the digital advertising and marketing sectors.
Once breached, threat actors monetize these accounts by either selling advertisements through them or transferring ownership to other malicious actors.
Google has committed to sharing its findings with the security community and has added identified malicious infrastructure to its Safe Browsing blocklist to protect users across major browsers.
Exploiting Trust Through the Hiring Process
The campaign’s effectiveness lies in its exploitation of trust inherent in legitimate job applications. UNC6229 creates convincing fake company profiles on popular employment platforms, masquerading as digital media agencies and recruiters.
When unsuspecting job seekers apply for these fabricated positions, they unwittingly initiate contact with the attackers by providing personal information, contact details, and resumes. This victim-initiated action establishes a foundation of trust that the threat actors leverage in subsequent interactions.
The attacker retains victims’ personal information for future targeting or sells curated lists of active job seekers to other threat actors for similar campaigns. By using legitimate job platforms alongside custom-built fake job websites, UNC6229 significantly increases its campaign’s reach and credibility.
Screenshots analyzed by GTIG reveal the actors posting on LinkedIn and establishing their own fraudulent job sites, such as staffvirtual[.]website, to expand their targeting capabilities across specific industries and geographic regions.
Multi-Stage Attack Chain
Upon a victim’s application, UNC6229 initiates personalized contact through email or direct messaging platforms. The initial outreach is deliberately benign, referencing the specific job application and addressing victims by name to build rapport without raising suspicion.
GTIG discovered that threat actors abuse legitimate business tools, including CRM platforms like Salesforce, Google Groups, and Google AppSheet, to send bulk emails and manage campaigns.
By leveraging these trusted services, malicious emails bypass security filters more effectively and appear legitimate to targets.
After establishing rapport, the threat actors proceed to payload delivery. In some campaigns, victims receive password-protected ZIP files disguised as skills assessments, application forms, or preliminary hiring tasks.
These archives contain remote access trojans (RATs) that grant attackers full control over victims’ devices, enabling account takeover and credential theft.
In other variants, victims receive obfuscated links directing them to highly convincing phishing pages designed to harvest corporate credentials.
Analysis of phishing kits associated with UNC6229 reveals sophisticated credential-stealing infrastructure specifically configured to target corporate email accounts and multi-factor authentication schemes from providers like Okta and Microsoft.
Sophisticated Social Engineering at Scale
The “fake career” lure represents a potent threat because it exploits fundamental human behaviors and professional necessity.
Unlike traditional phishing campaigns, victims believe they are initiating legitimate business contact with potential employers, making them far more susceptible to manipulation.
The combination of patience, personalization, and abuse of legitimate commercial platforms demonstrates the threat cluster’s operational maturity and resource availability.
GTIG assesses with high confidence that UNC6229 operates as a collaborative cluster of financially motivated individuals sharing tools, techniques, and infrastructure on private forums.
The group’s success with digital advertising workers suggests expansion to other industries where employees access valuable corporate assets.
As threat actors continue refining social engineering tactics and exploiting legitimate SaaS and CRM platforms, organizations must enhance employee awareness training and implement robust account security measures to defend against these evolving threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
