This report details a sophisticated cyberattack chain involving Python loaders, credential theft, and a transition to the PureRAT remote access tool, suggesting a highly organized threat actor. The attack leverages layered obfuscation, process hollowing, and in-memory payloads, emphasizing the need for defense-in-depth strategies. #PureRAT #PXAstealer
Keypoints
- The attack begins with a phishing email containing a ZIP archive that exploits DLL sideloading.
- The initial payload is a Python script loader that operates entirely in memory to evade detection.
- The campaign involves a transition from interpreted Python scripts to compiled .NET executables using process hollowing.
- The final payload, PureRAT, is a modular backdoor enabling extensive surveillance and data theft over encrypted C2 channels.
- The threat actor often uses Telegram for exfiltration and command communication, linking to specific handles and infrastructure in Vietnam.