Date: 10/29/2025
Severity: High
Summary
A Vietnam-based threat cluster, tracked as UNC6229, is conducting fake job posting campaigns targeting digital marketing and advertising professionals. The group uses social engineering through legitimate employment platforms and fraudulent recruitment sites to deliver malware or steal credentials. Their objective is to gain access to corporate advertising and social media accounts for financial gain, including hijacking ad campaigns or selling compromised accounts. Related domains and malicious files have been blocked, and increased awareness of these tactics can help strengthen industry-wide defenses against this targeted, financially motivated operation.
Indicators of Compromise (IOC) List
URLs/Domains | staffvirtual.website |
Hash | 137a6e6f09cb38905ff5c4ffe4b8967a45313d93bf19e03f8abe8238d589fb42
33fc67b0daaffd81493818df4d58112def65138143cec9bd385ef164bb4ac8ab
35721350cf3810dd25e12b7ae2be3b11a4e079380bbbb8ca24689fb609929255
bc114aeaaa069e584da0a2b50c5ed6c36232a0058c9a4c2d7660e3c028359d81
e1ea0b557c3bda5c1332009628f37299766ac5886dda9aaf6bc902145c41fd10
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "staffvirtual.website" or siteurl like "staffvirtual.website" or url like "staffvirtual.website" |
Detection Query 2 : | sha256hash IN ("33fc67b0daaffd81493818df4d58112def65138143cec9bd385ef164bb4ac8ab","35721350cf3810dd25e12b7ae2be3b11a4e079380bbbb8ca24689fb609929255","137a6e6f09cb38905ff5c4ffe4b8967a45313d93bf19e03f8abe8238d589fb42","bc114aeaaa069e584da0a2b50c5ed6c36232a0058c9a4c2d7660e3c028359d81","e1ea0b557c3bda5c1332009628f37299766ac5886dda9aaf6bc902145c41fd10")
|
Reference:
https://cloud.google.com/blog/topics/threat-intelligence/vietnamese-actors-fake-job-posting-campaigns