Vietnam-Based UNC6229 Targets Job Seekers with Fake Postings to Steal Corporate Advertising Credentials
Google’s Threat Intelligence Group (GTIG) has identified a financially motivated Vietnam-based threat cluster, tracked as UNC6229, that leverages fake job postings on legitimate employment platforms to target remote digital advertising and marketing professionals. The campaign exploits the trust inherent in recruitment interactions to deliver malware or direct victims to credential-harvesting phishing sites, ultimately compromising high-value corporate advertising accounts. Once these accounts are breached, attackers sell or misuse them to run fraudulent ad campaigns and generate revenue. GTIG reports that the group primarily targets contract or part-time digital marketing workers who are often logged into corporate platforms on personal devices, increasing the risk of cross-account compromise. The actor’s abuse of trusted SaaS and CRM platforms, including Salesforce and Google AppSheet, allows their communications to bypass security filters and appear legitimate, underscoring the campaign’s operational sophistication. The attack chain begins when a target applies for a fake position posted by UNC6229, establishing initial trust through personalized follow-up messages before delivering malicious ZIP files or phishing links disguised as hiring materials. These payloads deploy remote access trojans (RATs) or steal corporate credentials, granting full control over victims’ devices and advertising accounts. GTIG has confirmed that compromised data and accounts are monetized through underground markets or reused in subsequent campaigns. In response, Google has added associated malicious infrastructure to its Safe Browsing blocklist and is collaborating with impacted CRM providers to mitigate ongoing abuse. Organizations are urged to strengthen employee awareness training, enforce multi-factor authentication, and closely monitor account activity within ad and social media platforms to defend against this evolving recruitment-based threat.
North Korean Operation Dream Job Targets European Defense Engineers to Steal Drone Technology
North Korea–linked threat actors have launched a new wave of Operation Dream Job attacks targeting European defense contractors, specifically those involved in unmanned aerial vehicle (UAV) development. According to ESET researchers, the campaign uses fake job offers to compromise engineers and exfiltrate proprietary drone-related designs and manufacturing data. Victims are lured with enticing employment opportunities and sent malicious job descriptions that deploy malware such as MISTPEN once opened. These payloads enable remote access, data theft, and further network compromise. ESET identified multiple affected entities, including metal engineering firms and aircraft component manufacturers across Central and Southeastern Europe, suggesting the operation aligns with North Korea’s efforts to expand its domestic drone program. The Lazarus Group, tracked by multiple cybersecurity firms under aliases including Diamond Sleet, Hidden Cobra, and UNC2970, continues to refine its long-running Dream Job social engineering tactics. The group’s current campaigns employ binary sideloading to deliver ScoringMathTea, a remote access trojan capable of executing roughly 40 commands for surveillance, data exfiltration, and persistence. Supporting tools, including BinMergeLoader and MISTPEN, use the Microsoft Graph API to retrieve additional payloads and maintain stealthy communication with command servers. Despite minor variations in delivery techniques, Lazarus holds a consistent operational framework—leveraging open-source tools, trojanized applications, and deceptive correspondence to target individuals with high-value access. Security researchers warn that these campaigns demonstrate a sustained interest in aerospace and defense technologies critical to North Korea’s strategic weapons programs, urging organizations to strengthen phishing defenses and implement behavioral monitoring for DLL sideloading and Graph API abuse.
YouTube Ghost Network Expands Malware Distribution Through 3,000 Infected Videos
Check Point Research has identified a large-scale malware campaign known as the YouTube Ghost Network, responsible for spreading infostealer malware through over 3,000 compromised YouTube videos. Active since 2021 and tripling in scope throughout 2025, this operation abuses YouTube’s trusted ecosystem to bypass email-based security filters and reach millions of potential victims. The campaign is structured into three coordinated account roles: video-accounts that upload malicious tutorials, post-accounts that share download links and passwords, and interact-accounts that post fake comments to boost credibility. The operation primarily targets users seeking cracked software or game cheats, leveraging high-view counts and user engagement to legitimize malicious content. Payloads are distributed through password-protected archives hosted on Google Sites, Dropbox, and MediaFire, ensuring campaign continuity even if individual accounts are suspended. The network’s malware arsenal has evolved alongside industry disruptions, shifting from Lumma Stealer to Rhadamanthys after Lumma’s takedown earlier this year. The campaign uses advanced evasion methods—frequent payload rotation, dynamic C2 updates every few days, and staged deployments through HijackLoader—to bypass detection. One campaign disguised Rhadamanthys as cracked Adobe software, specifically targeting content creators, while another leveraged crypto-related themes to compromise developer channels. Each infection chain delivers functional cracked software, along with concealed infostealers that exfiltrate credentials, financial data, and crypto assets. The YouTube Ghost Network demonstrates how cybercriminals are weaponizing mainstream platforms for large-scale social engineering, marking a significant shift toward self-sustaining, platform-based malware ecosystems that blend legitimacy and deception to outmaneuver traditional defenses.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
