Google Exposes UNC6229 “Fake Career” Campaign Hacking Advertising Accounts with Fake Job Lures
Do Son 
Google’s Threat Intelligence Group (GTIG) has exposed an ongoing social engineering campaign operated by a financially motivated threat cluster known as UNC6229, based in Vietnam. The group uses fake job postings on legitimate career platforms to trick digital marketing and advertising professionals into installing malware or revealing corporate credentials — ultimately compromising high-value advertising accounts for profit.
According to GTIG, “this campaign exploits the trust inherent in the job application process by posting fake career opportunities on popular employment platforms, as well as freelance marketplaces and their own job posting websites.”
The attackers specifically target remote digital advertising workers — often freelancers or contractors — who are more likely to manage multiple client accounts and use personal devices for business purposes.
GTIG explains that “if the target falls victim while logged into a work computer with a personal account, or while using a personal device with access to company ads accounts, threat actors can gain access to those company accounts.” Once inside, the attackers either hijack the company’s digital advertising accounts or sell access to other cybercriminals, monetizing the stolen credentials on underground markets.
The operation — internally dubbed “Fake Career” — begins with highly polished job listings posted on legitimate platforms such as LinkedIn and Indeed. These listings impersonate digital marketing agencies, complete with fabricated websites and social media profiles designed to appear credible.
“The effectiveness of this campaign hinges on a classic social engineering tactic where the victim initiates the first contact,” GTIG notes. “UNC6229 creates fake company profiles, often masquerading as digital media agencies, on legitimate job platforms. They post attractive, often remote, job openings that appeal to their target demographic.”
Once a candidate applies, attackers use the provided contact information to reach out — often via email or chat platforms — under the guise of recruiters. These initial messages are deliberately benign, meant to build trust before delivering the real payload.
In a move that makes detection significantly harder, UNC6229 has been observed abusing legitimate commercial SaaS platforms to manage communications and distribute payloads.
“GTIG has observed UNC6229 and other threat actors abusing a wide range of legitimate business and customer relationship management (CRM) platforms to send these initial emails and manage their campaigns,” the report states.
The group has even leveraged Salesforce and Google AppSheet for campaign coordination — exploiting their reputation to bypass email security filters. In response, GTIG said it “shared insights about these campaigns with CRMs UNC6229 has abused, including Salesforce, to better secure the ecosystem.”
Once trust is established, the attackers escalate to the payload delivery phase, sending either malware-laced attachments or phishing links disguised as part of the hiring process.
- Malware Delivery: Victims receive a ZIP archive — often labeled as a “skills test” or “job application form.” Inside is a Remote Access Trojan (RAT) that, once executed, grants full control of the victim’s device.
- Phishing Page: In other cases, candidates are directed to convincing interview scheduling portals that mimic the branding of companies like Microsoft or Google. These fake pages harvest login credentials and can even bypass multi-factor authentication (MFA) systems such as Okta.
GTIG assesses “with high confidence that this activity is conducted by a cluster of financially motivated individuals located in Vietnam.”
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
