Threat Intelligence
Phishing Link: The actor sends a link, sometimes obfuscated with a URL shortener, directing the victim to a phishing page. This page is often presented as a portal to schedule an interview or complete an assessment.
The phishing pages are designed to be highly convincing, using the branding of major corporations. GTIG has analyzed multiple phishing kits associated with this threat activity and found that they are often configured to specifically target corporate email credentials and can handle various multi-factor authentication (MFA) schemes, including those from Okta and Microsoft.
Attribution
GTIG assesses with high confidence that this activity is conducted by a cluster of financially motivated individuals located in Vietnam. The shared TTPs and infrastructure across multiple incidents suggest a collaborative environment where actors likely exchange tools and successful techniques on private forums.
Outlook
The "fake career" social engineering tactic is a potent threat because it preys on fundamental human behaviors and the necessities of professional life. We expect UNC6229 and other actors to continue refining this approach, expanding their targeting to other industries where employees have access to valuable corporate assets. The abuse of legitimate SaaS and CRM platforms for malicious campaigns is a growing trend that challenges traditional detection methods.
Indicators of Compromise
The following indicators of compromise are available to registered users in a Google Threat Intelligence (GTI) collection.
staffvirtual[.]website |
137a6e6f09cb38905ff5c4ffe4b8967a45313d93bf19e03f8abe8238d589fb42 |
33fc67b0daaffd81493818df4d58112def65138143cec9bd385ef164bb4ac8ab |
35721350cf3810dd25e12b7ae2be3b11a4e079380bbbb8ca24689fb609929255 |
bc114aeaaa069e584da0a2b50c5ed6c36232a0058c9a4c2d7660e3c028359d81 |
e1ea0b557c3bda5c1332009628f37299766ac5886dda9aaf6bc902145c41fd10 |
Published: 2025-10-23T14:00:00
Privacy | Terms of Use | Contact Us
