Cybercriminals have adopted a sophisticated social engineering strategy that exploits the trust inherent in job hunting, according to a recent security advisory.
A financially motivated threat cluster operating from Vietnam has been targeting digital advertising and marketing professionals through fake job postings on legitimate employment platforms and custom-built recruitment websites.
The campaign, which leverages remote access trojans and credential-harvesting phishing kits, represents a growing threat to corporate advertising and social media accounts across multiple industries.
The attack methodology centers on creating fake company profiles masquerading as digital media agencies on popular job boards.
When unsuspecting applicants submit their resumes and contact information for these fabricated positions, they unknowingly establish a foundation of trust that threat actors later exploit.
The self-initiated nature of the victim’s first contact makes subsequent communications from the attacker appear legitimate, as targets believe they are engaging with a potential employer about a position they actively pursued.
The vulnerability extends beyond immediate exploitation. Threat actors can retain collected victim information for future cold email campaigns about additional fabricated opportunities or monetize curated lists of active job seekers by selling them to other criminal groups.
This creates a persistent threat environment where a single job application can result in repeated targeting over extended periods.
Google Threat Intelligence Group researchers identified the operation as UNC6229, noting the cluster primarily targets remote workers in contract or part-time positions who may actively seek employment while currently employed.
.webp "Google Warns of Threat Actors Using Fake Job Posting to Deliver Malware and Steal Credentials 3")
The campaign specifically focuses on individuals with legitimate access to high-value corporate advertising and social media accounts, which threat actors can either use to sell advertisements or directly sell the compromised accounts to other criminal entities.
Delivery Mechanisms and Technical Infrastructure
Following the initial contact phase, UNC6229 employs two primary payload delivery methods depending on campaign specifics.
The first approach involves sending password-protected ZIP attachments disguised as skills assessments, application forms, or preliminary hiring tasks.
These archives contain remote access trojans that grant attackers complete device control, enabling subsequent account takeovers.
The second method utilizes obfuscated phishing links, often shortened through URL services, directing victims to fraudulent interview scheduling portals or assessment platforms.
The phishing infrastructure demonstrates technical sophistication, with analyzed kits configured to specifically target corporate email credentials while handling various multi-factor authentication schemes including Okta and Microsoft implementations.
Google researchers noted that UNC6229 abuses legitimate customer relationship management platforms, including Salesforce, to send initial communications and manage campaigns.
This abuse of trusted services increases email deliverability rates and bypasses traditional security filters, making malicious messages appear authentic to recipients.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
