Hackers Exploit Fake Job Listings in Credential Theft Scheme, Google Reports

Google’s Threat Intelligence Group (GTIG) has uncovered a Vietnamese cybercriminal campaign that leverages fake job postings to compromise digital marketing professionals and hijack corporate advertising accounts. The financially motivated cluster, tracked as UNC6229, employs advanced social engineering and malware-delivery tactics to infiltrate business environments via victims’ personal devices and online credentials.

GTIG’s research reveals that UNC6229 relies on a victim-initiated interaction model, in which unsuspecting job seekers apply to fraudulent openings posted on legitimate platforms like LinkedIn and freelance marketplaces, and even on attacker-controlled job websites such as staffvirtual[.]website. These fake listings typically advertise remote roles in the digital marketing and advertising sector. Once a target applies, attackers collect the individual’s name, resume, and contact information, laying the groundwork for personalized phishing or malware distribution.

The attack progresses when the victim receives either a malicious attachment or a phishing link. In malware-driven variants, the attacker sends a password-protected ZIP archive that purports to be a skills test or pre-employment form. Once opened, the file deploys remote access trojans (RATs), enabling full system compromise and credential theft. Phishing variants route victims to convincing sign-in portals that mimic major corporate services, with back-end kits designed to capture credentials from platforms like Microsoft 365 and Okta, even bypassing using multi-factor authentication (MFA) mechanisms.

GTIG attributes UNC6229 to a Vietnam-based operation showing signs of collaboration and tool-sharing among multiple financially motivated actors. While the current campaigns focus on digital marketing professionals, GTIG warns that similar tactics could easily expand into other industries handling sensitive commercial data.