{"id":23356,"date":"2026-01-06T08:00:29","date_gmt":"2026-01-06T01:00:29","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=23356"},"modified":"2026-01-20T10:16:55","modified_gmt":"2026-01-20T03:16:55","slug":"when-job-opportunities-become-a-fake","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/when-job-opportunities-become-a-fake\/","title":{"rendered":"When Job Opportunities Become a Trap: The Fake Recruitment Campaign by Vietnamese Hackers"},"content":{"rendered":"<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Recently, a cybercriminal group tracked under the name UNC6229 launched a phishing campaign targeting Digital Marketing professionals in Vietnam.<\/span><\/p>\n<div class=\"blog-content-wrapper article-main-wrapper container relative z-30 mx-auto grid grid-flow-row grid-cols-8 xl:gap-6 2xl:grid-cols-10\">\n<section class=\"blog-content-main z-20 col-span-8 mb-10 px-4 md:z-10 lg:col-span-6 lg:col-start-2 lg:px-0 xl:col-span-6 xl:col-start-2 2xl:col-span-6 2xl:col-start-3\">\n<div class=\"relative\">\n<div id=\"post-content-parent\" class=\"relative mb-10 pb-14\">\n<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<h2 id=\"heading-overview\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Overview<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">In October 2025,\u00a0<strong>Google&#8217;s Threat Intelligence Group (GTIG) discovered a large-scale phishing campaign by Vietnamese hackers.<\/strong>\u00a0They exploited fake job postings on legitimate platforms to target individuals in the digital marketing and advertising fields. The attackers used sophisticated methods to distribute malware and phishing toolkits, ultimately aiming to compromise high-value corporate accounts to hijack digital advertising accounts. GTIG has designated this campaign with the tracking code\u00a0<strong>UNC6229.<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Google Threat Intelligence Group stated that this campaign primarily<\/strong>\u00a0targets remote digital advertising employees, those with contract or part-time positions, who may be actively seeking jobs. The attack begins when the victim downloads and executes malware or enters credentials into a phishing website. This inadvertently exposes all of the victim&#8217;s information, and the user&#8217;s machine becomes a platform for spreading malware or deploying backdoors to take over systems.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-1-1763604808.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23357\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-1-1763604808.jpg\" alt=\"\u1ea3nh 1 1763604808\" width=\"1080\" height=\"581\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-1-1763604808.jpg 1080w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-1-1763604808-700x377.jpg 700w\" sizes=\"(max-width: 1080px) 100vw, 1080px\" \/><\/a><\/span><\/p>\n<h2 id=\"heading-campaign-details\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Campaign Details<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">As mentioned, the\u00a0<strong>UNC6229<\/strong>\u00a0group will create fake company profiles, often posing as digital media agencies or recruitment companies in the digital advertising industry. They will post attractive positions, remote or flexible work, targeting those seeking part-time or contract jobs in digital advertising.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">To build trust with victims, the attackers encourage job seekers to proactively send their information (resume, name, contact). According to one victim, &#8220;I applied proactively, so this seemed like a normal recruitment process,&#8221; showing how sophisticated and psychologically adept the attackers are.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-2-1763604835.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23358\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-2-1763604835.jpg\" alt=\"\u1ea3nh 2 1763604835\" width=\"1007\" height=\"1200\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-2-1763604835.jpg 1007w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-2-1763604835-700x834.jpg 700w\" sizes=\"(max-width: 1007px) 100vw, 1007px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">After posting fake job listings, the hackers will contact the victims and build trust with them. They will reach out via email or direct messaging, sometimes using legitimate CRM tools to send mass emails and manage campaigns. Using legitimate CRM\/services helps emails bypass spam filters and makes them harder to control. In this initial step, the emails usually do not contain any malicious attachments to reduce the victim&#8217;s suspicion and increase trust.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-3-1763604863.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23359\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-3-1763604863.jpg\" alt=\"\u1ea3nh 3 1763604863\" width=\"1080\" height=\"654\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-3-1763604863.jpg 1080w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-3-1763604863-700x424.jpg 700w\" sizes=\"(max-width: 1080px) 100vw, 1080px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">And of course, once they have gained the victim&#8217;s trust, the payload will be deployed in two ways.<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Malware delivery<\/strong>:\u00a0<strong>UNC6229<\/strong>\u00a0will send an attachment (usually a password-protected ZIP file) with an explanation like &#8220;skills test&#8221; or &#8220;mandatory application form.&#8221; If the victim extracts and runs it, they may install a remote access trojan (RAT), allowing the attacker to easily control the victim&#8217;s machine.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-4-1763604893.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23360\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-4-1763604893.jpg\" alt=\"\u1ea3nh 4 1763604893\" width=\"1080\" height=\"818\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-4-1763604893.jpg 1080w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-4-1763604893-700x530.jpg 700w\" sizes=\"(max-width: 1080px) 100vw, 1080px\" \/><\/a><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Phishing link:<\/strong>\u00a0In this method, the attacker will send links to fake recruitment websites or sites that look like interview scheduling or assessment pages. These pages are cleverly designed and can &#8220;capture&#8221; multi-factor authentication (MFA) codes from services like Okta, Microsoft, etc.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-5-1763604923.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23361\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-5-1763604923.jpg\" alt=\"\u1ea3nh 5 1763604923\" width=\"1080\" height=\"650\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-5-1763604923.jpg 1080w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/anh-5-1763604923-700x421.jpg 700w\" sizes=\"(max-width: 1080px) 100vw, 1080px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">And of course, if the victim is logged into a company computer or on a personal device with access to the company&#8217;s ad accounts, the attacker can exploit this to take control. Once they gain control of the ad or social media account, the attacker can:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Sell the account to other parties.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Use it to run scam ads, profiting from advertising or affiliate schemes.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Increase the risk for the attacked organization, leading to loss of reputation and financial damage.<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-conclusion\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Conclusion<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">This campaign has shown that attacks through &#8220;fake recruitment&#8221; are becoming increasingly sophisticated, as they exploit the real needs of job seekers and rely on the victim&#8217;s trust (social engineering) rather than just technical skills.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>GTIG<\/strong>\u00a0predicts that the group\u00a0<strong>UNC6229<\/strong>\u00a0and similar actors will &#8220;continue to refine their approach, expand their target industries (not just digital advertising), and use multiple platforms like legitimate SaaS or CRM to deceive victims. This means that organizations and individuals need to be\u00a0<strong>constantly<\/strong>\u00a0vigilant, not only when encountering &#8220;strange&#8221; job offers but also by strengthening internal controls, delegating authority, and raising awareness.<\/span><\/p>\n<h2 id=\"heading-recommendations\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Recommendations<\/strong><\/span><\/h2>\n<ol>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Separate work and personal accounts<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Do not allow employees to use company accounts to log in on personal browsers or uncontrolled devices.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Require the use of company accounts through\u00a0<strong>SSO (Single Sign-On)<\/strong>\u00a0or\u00a0<strong>IAM<\/strong>\u00a0with MFA.<\/span><\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Limit access (Principle of Least Privilege)<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Only those who truly need to manage ads should have access to Ads and Meta accounts.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Implement\u00a0<strong>role-based access control (RBAC)<\/strong>\u00a0to separate roles like \u201cviewer,\u201d \u201ceditor,\u201d \u201cadmin.\u201d<\/span><\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Employee awareness and training<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Organize\u00a0<strong>quarterly \u201cSecurity Awareness\u201d sessions<\/strong>, emphasizing the topic of\u00a0<em>fake recruitment phishing<\/em>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Provide real examples from the UNC6229 campaign to help employees recognize threats.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Require employees to\u00a0<strong>report any suspicious recruitment emails<\/strong>\u00a0to IT Security before opening files\/links.<\/span><\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Be cautious with attachments and links<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Do not download ZIP\/RAR\/PDF files from unknown sources.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Do not enter login information or MFA codes outside of official sites.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Use a secure browser (Chrome\/Edge sandbox) and\u00a0<strong>online virus scanning tools<\/strong>\u00a0before opening files.<\/span><\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>If you suspect a scam<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Immediately change passwords for all related accounts.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Check login history (security activity).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Update antivirus software and scan the entire system.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h2 id=\"heading-ioc\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>IOC<\/strong><\/span><\/h2>\n<ol>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Domain<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">staffvirtual[.]website<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">paxcorporation[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">jobs-career[.]site<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">careers-promo[.]xyz<\/span><\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>File Hash<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">137a6e6f09cb38905ff5c4ffe4b8967a45313d93bf19e03f8abe8238d589fb42<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">33fc67b0daaffd81493818df4d58112def65138143cec9bd385ef164bb4ac8ab<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">35721350cf3810dd25e12b7ae2be3b11a4e079380bbbb8ca24689fb609929255<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">bc114aeaaa069e584da0a2b50c5ed6c36232a0058c9a4c2d7660e3c028359d81<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">e1ea0b557c3bda5c1332009628f37299766ac5886dda9aaf6bc902145c41fd10<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p id=\"heading-reference\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Reference<\/strong><\/span><\/p>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/vietnamese-actors-fake-job-posting-campaigns?linkId=17402645\" target=\"_blank\" rel=\"noopener nofollow\">Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials | Google Cloud Blog<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/gbhackers.com\/fake-job-postings\/\" target=\"_blank\" rel=\"noopener nofollow\">Google Warns of Cybercriminals Using Fake Job Postings to Spread Malware and Steal Credentials\u00a0<\/a><\/span><br \/>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Exclusive article by FPT IS Technology Experts<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><em>Luu Tuan Anh \u2013 FPT IS Cyber Security Center<\/em><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<\/div>\n<\/section>\n<\/div>\n","protected":false},"author":21,"featured_media":23362,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-23356","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/23356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/23362"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=23356"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=23356"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=23356"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=23356"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=23356"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=23356"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=23356"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=23356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}