Cybercriminals have adopted a sophisticated social engineering strategy that exploits the trust inherent in job hunting, according to a recent security advisory.<\/p>\n
A financially motivated threat cluster operating from Vietnam has been targeting digital advertising and marketing professionals through fake job postings on legitimate employment platforms and custom-built recruitment websites.<\/p>\n
The campaign, which leverages remote access trojans and credential-harvesting phishing kits<\/a>, represents a growing threat to corporate advertising and social media accounts across multiple industries.<\/p>\n The attack methodology centers on creating fake company profiles masquerading as digital media agencies on popular job boards.<\/p>\n When unsuspecting applicants submit their resumes and contact information for these fabricated positions, they unknowingly establish a foundation of trust that threat actors later exploit.<\/p>\n The self-initiated nature of the victim\u2019s first contact makes subsequent communications from the attacker appear legitimate, as targets believe they are engaging with a potential employer about a position they actively pursued.<\/p>\n The vulnerability extends beyond immediate exploitation. Threat actors can retain collected victim information for future cold email campaigns about additional fabricated opportunities or monetize curated lists of active job seekers<\/a> by selling them to other criminal groups.<\/p>\n This creates a persistent threat environment where a single job application can result in repeated targeting over extended periods.<\/p>\n Google Threat Intelligence Group researchers identified<\/a> the operation as UNC6229, noting the cluster primarily targets remote workers in contract or part-time positions who may actively seek employment while currently employed.<\/p>\n The campaign specifically focuses on individuals with legitimate access to high-value corporate advertising and social media accounts, which threat actors can either use to sell advertisements or directly sell the compromised accounts to other criminal entities.<\/p>\n Following the initial contact phase, UNC6229 employs two primary payload delivery methods depending on campaign specifics.<\/p>\n The first approach involves sending password-protected ZIP attachments disguised as skills assessments, application forms, or preliminary hiring tasks.<\/p>\n These archives contain remote access trojans that grant attackers complete device control, enabling subsequent account takeovers.<\/p>\n The second method utilizes obfuscated phishing links, often shortened through URL services, directing victims to fraudulent interview scheduling portals or assessment platforms.<\/p>\n The phishing infrastructure demonstrates technical sophistication, with analyzed kits configured to specifically target corporate email credentials while handling various multi-factor authentication schemes including Okta<\/a> and Microsoft implementations.<\/p>\n Google researchers noted that UNC6229 abuses legitimate customer relationship management platforms, including Salesforce, to send initial communications and manage campaigns.<\/p>\n This abuse of trusted services increases email deliverability rates and bypasses traditional security filters<\/a>, making malicious messages appear authentic to recipients.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Google Warns of Threat Actors Using Fake Job Posting to Deliver Malware and Steal Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhZr2tmsVB0zHmFa26FbOFGpoOFS5023TuCGCR28CpTZ-55DGiNGGzxUBm8T07gZI_6kzzlNtPXtFMrew9ifFgoi6K2ZNURPC1f3YT7vLVEBg4vosBJsfuc2mrx3XVB0hUNdIid-5k2rkE8iMYhX06aq-uFEy6wqkVvCMMp-Q1tDW5PIEXyNhTUfjQOQdQ\/s16000\/Attack%2520flo%2520%28Source%2520-%2520Google%2520Cloud%29.webp?ssl=1\")
Delivery Mechanisms and Technical Infrastructure<\/strong><\/h2>\n