A Vietnamese cybercrime group is utilizing synthetic intelligence to write down malicious code in an ongoing phishing marketing campaign that distributes the PureRAT malware by way of faux job alternatives.
The marketing campaign, initially detected in December 2025, represents a regarding evolution in menace actor capabilities, combining social engineering ways with machine-generated assault instruments to compromise organizations worldwide.
The assaults start with phishing emails disguised as reputable employment gives from well-known corporations. These messages comprise ZIP archives named after job-related subjects, resembling “New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip” or “Wage and Advantages Bundle.zip.”
When recipients open these archives, they set off an an infection chain that ultimately installs PureRAT or different malicious payloads like hidden digital community computing (HVNC) instruments.
The marketing campaign targets numerous organizations throughout a number of industries, suggesting the attackers could also be promoting entry to compromised networks moderately than conducting focused espionage.
After analyzing the assault instruments, Symantec researchers recognized a number of indicators that the malicious scripts have been created utilizing synthetic intelligence.
The batch information and Python code contained detailed Vietnamese-language feedback explaining every step, numbered directions, and even emoji symbols in code remarks—traits generally related to AI-generated programming.
This degree of documentation is never seen in manually written malware scripts, making the AI authorship notably evident.
The malicious archives sometimes comprise reputable executables repurposed for DLL sideloading assaults. Information resembling “adobereader.exe” or “Salary_And_Responsibility_Table.exe” are used to load dangerous DLLs together with oledlg.dll, msimg32.dll, model.dll, and profapi.dll.
These DLLs act as loaders for the ultimate payload, establishing persistence and sustaining stealth all through the an infection course of.
How PureRAT Establishes Persistence
As soon as executed, the malicious batch script creates a hidden listing underneath the Home windows %LOCALAPPDATApercentGoogle Chrome folder to hide its presence from customers.
The script then renames benign-looking information like “doc.pdf” and “doc.docx” into archive codecs, extracts the contents utilizing embedded compression instruments with the password “[email protected],” and executes a Python-based payload.
This payload fetches Base64-encoded malicious code from distant command-and-control servers operated by the attackers.
To keep up long-term entry, the malware provides itself to the Home windows Registry Run key underneath the identify “ChromeUpdate,” making certain it executes routinely each time the system begins.
After establishing persistence, the script opens a reputable PDF doc from the hidden listing to deceive victims into believing they merely opened a traditional file.
This method reduces suspicion and permits the malware to function undetected whereas stealing knowledge or offering distant entry to the compromised system.
The Vietnamese origin of the menace actor is obvious by way of a number of indicators past the language utilized in code feedback. Passwords containing “@dev.vn” domains and GitLab accounts with Vietnamese usernames reinforce the attribution.
Symantec Endpoint merchandise now detect and block the recognized malicious information, offering safety towards this evolving menace marketing campaign.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
