A Vietnamese threat actor's shift from PXA Stealer to PureRAT
A Vietnamese threat actor has evolved from using the PXA Stealer malware to deploying PureRAT, a commercial remote access trojan (RAT). The attack chain is multi-staged, starting with phishing emails that deliver Python-based infostealers and . NET loaders. The campaign employs advanced techniques such as DLL sideloading, obfuscation, and defense evasion to avoid detection. PureRAT, the final payload, grants attackers extensive control over compromised systems, enabling data theft, persistence, and lateral movement. This shift to commodity malware lowers the technical barrier for sophisticated attacks and indicates a maturing threat operation. European organizations face risks from data exfiltration, espionage, and potential disruption. Mitigation requires multi-layered defenses including phishing resistance, endpoint detection, and monitoring for DLL sideloading. Countries with significant use of Windows environments and high-value targets in finance, government, and critical infrastructure are most at risk. The threat is assessed as medium severity due to its complexity, potential impact, and reliance on user interaction via phishing.
AI Analysis
Technical Summary
This threat involves a Vietnamese cybercriminal group previously known for deploying PXA Stealer, now transitioning to using PureRAT, a commercially available remote access trojan. The attack chain is sophisticated and multi-phased: it begins with phishing emails (MITRE ATT&CK T1566.001) that deliver Python-based infostealers and .NET loaders. The loaders utilize DLL sideloading (T1574.001) to evade detection by loading malicious DLLs under the guise of legitimate software components. Obfuscation techniques (T1027) and defense evasion methods such as disabling security tools (T1562.001, T1562.006) and process injection (T1055.012) are employed to maintain stealth. The final payload, PureRAT, provides the attacker with extensive remote control capabilities, including credential theft, keylogging, file manipulation, and command execution. The use of commodity malware like PureRAT indicates a lowering of technical barriers, allowing the threat actor to scale operations and potentially increase attack frequency. Indicators include IP 157.66.26.209 and multiple file hashes linked to the malware components. The campaign demonstrates a maturation in tactics, techniques, and procedures (TTPs), emphasizing the need for layered defenses and continuous monitoring. No known exploits in the wild are reported, but the threat actor’s evolving sophistication poses a credible risk to targeted organizations.
Potential Impact
For European organizations, the deployment of PureRAT via phishing and multi-stage infection chains can lead to significant confidentiality breaches through data theft and espionage. The RAT’s extensive control capabilities enable attackers to manipulate system integrity and potentially disrupt availability through lateral movement or destruction of data. Sectors such as finance, government, healthcare, and critical infrastructure are particularly vulnerable due to the value of their data and the potential for operational disruption. The use of DLL sideloading and obfuscation complicates detection, increasing dwell time and the risk of prolonged compromise. The shift to commodity malware lowers the skill threshold, potentially increasing the volume and diversity of attacks targeting European entities. This could result in financial losses, reputational damage, regulatory penalties under GDPR, and national security concerns. The medium severity reflects the balance between the complexity of the attack chain and the requirement for user interaction (phishing) to initiate the infection.
Mitigation Recommendations
1. Implement advanced phishing defenses including user training, email filtering, and sandboxing to detect and block malicious attachments and links. 2. Deploy endpoint detection and response (EDR) solutions capable of identifying DLL sideloading and process injection behaviors. 3. Monitor for unusual network traffic patterns, especially connections to known malicious IPs such as 157.66.26.209. 4. Enforce application whitelisting and restrict execution of unauthorized scripts and binaries, particularly Python and .NET loaders. 5. Regularly update and patch all software to reduce attack surface, even though no specific CVEs are noted, to mitigate exploitation of potential vulnerabilities. 6. Utilize threat intelligence feeds to update detection rules with the provided file hashes and indicators of compromise. 7. Implement multi-factor authentication to limit attacker lateral movement post-compromise. 8. Conduct regular incident response exercises to prepare for detection and containment of RAT infections. 9. Employ network segmentation to limit the spread of malware within organizational networks. 10. Review and harden security controls around DLL loading paths to prevent sideloading attacks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- ip: 157.66.26.209
- hash: 06fc70aa08756a752546198ceb9770068a2776c5b898e5ff24af9ed4a823fd9d
- hash: f5e9e24886ec4c60f45690a0e34bae71d8a38d1c35eb04d02148cdb650dd2601
- hash: f6ed084aaa8ecf1b1e20dfa859e8f34c4c18b7ad7ac14dc189bc1fc4be1bd709
A Vietnamese threat actor's shift from PXA Stealer to PureRAT
Description
A Vietnamese threat actor has evolved from using the PXA Stealer malware to deploying PureRAT, a commercial remote access trojan (RAT). The attack chain is multi-staged, starting with phishing emails that deliver Python-based infostealers and . NET loaders. The campaign employs advanced techniques such as DLL sideloading, obfuscation, and defense evasion to avoid detection. PureRAT, the final payload, grants attackers extensive control over compromised systems, enabling data theft, persistence, and lateral movement. This shift to commodity malware lowers the technical barrier for sophisticated attacks and indicates a maturing threat operation. European organizations face risks from data exfiltration, espionage, and potential disruption. Mitigation requires multi-layered defenses including phishing resistance, endpoint detection, and monitoring for DLL sideloading. Countries with significant use of Windows environments and high-value targets in finance, government, and critical infrastructure are most at risk. The threat is assessed as medium severity due to its complexity, potential impact, and reliance on user interaction via phishing.
AI-Powered Analysis
Technical Analysis
This threat involves a Vietnamese cybercriminal group previously known for deploying PXA Stealer, now transitioning to using PureRAT, a commercially available remote access trojan. The attack chain is sophisticated and multi-phased: it begins with phishing emails (MITRE ATT&CK T1566.001) that deliver Python-based infostealers and .NET loaders. The loaders utilize DLL sideloading (T1574.001) to evade detection by loading malicious DLLs under the guise of legitimate software components. Obfuscation techniques (T1027) and defense evasion methods such as disabling security tools (T1562.001, T1562.006) and process injection (T1055.012) are employed to maintain stealth. The final payload, PureRAT, provides the attacker with extensive remote control capabilities, including credential theft, keylogging, file manipulation, and command execution. The use of commodity malware like PureRAT indicates a lowering of technical barriers, allowing the threat actor to scale operations and potentially increase attack frequency. Indicators include IP 157.66.26.209 and multiple file hashes linked to the malware components. The campaign demonstrates a maturation in tactics, techniques, and procedures (TTPs), emphasizing the need for layered defenses and continuous monitoring. No known exploits in the wild are reported, but the threat actor’s evolving sophistication poses a credible risk to targeted organizations.
Potential Impact
For European organizations, the deployment of PureRAT via phishing and multi-stage infection chains can lead to significant confidentiality breaches through data theft and espionage. The RAT’s extensive control capabilities enable attackers to manipulate system integrity and potentially disrupt availability through lateral movement or destruction of data. Sectors such as finance, government, healthcare, and critical infrastructure are particularly vulnerable due to the value of their data and the potential for operational disruption. The use of DLL sideloading and obfuscation complicates detection, increasing dwell time and the risk of prolonged compromise. The shift to commodity malware lowers the skill threshold, potentially increasing the volume and diversity of attacks targeting European entities. This could result in financial losses, reputational damage, regulatory penalties under GDPR, and national security concerns. The medium severity reflects the balance between the complexity of the attack chain and the requirement for user interaction (phishing) to initiate the infection.
Mitigation Recommendations
1. Implement advanced phishing defenses including user training, email filtering, and sandboxing to detect and block malicious attachments and links. 2. Deploy endpoint detection and response (EDR) solutions capable of identifying DLL sideloading and process injection behaviors. 3. Monitor for unusual network traffic patterns, especially connections to known malicious IPs such as 157.66.26.209. 4. Enforce application whitelisting and restrict execution of unauthorized scripts and binaries, particularly Python and .NET loaders. 5. Regularly update and patch all software to reduce attack surface, even though no specific CVEs are noted, to mitigate exploitation of potential vulnerabilities. 6. Utilize threat intelligence feeds to update detection rules with the provided file hashes and indicators of compromise. 7. Implement multi-factor authentication to limit attacker lateral movement post-compromise. 8. Conduct regular incident response exercises to prepare for detection and containment of RAT infections. 9. Employ network segmentation to limit the spread of malware within organizational networks. 10. Review and harden security controls around DLL loading paths to prevent sideloading attacks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.huntress.com/blog/purerat-threat-actor-evolution"]
- Adversary
- PXA Stealer group
- Pulse Id
- 68e8c2e51d4e583ce113cce3
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip157.66.26.209 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash06fc70aa08756a752546198ceb9770068a2776c5b898e5ff24af9ed4a823fd9d | — | |
hashf5e9e24886ec4c60f45690a0e34bae71d8a38d1c35eb04d02148cdb650dd2601 | — | |
hashf6ed084aaa8ecf1b1e20dfa859e8f34c4c18b7ad7ac14dc189bc1fc4be1bd709 | — |
Threat ID: 68e8c5819fd71783de4a68f5
Added to database: 10/10/2025, 8:36:17 AM
Last enriched: 10/10/2025, 8:51:02 AM
Last updated: 10/10/2025, 12:23:49 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
RondoDox Botnet targets 56 flaws across 30+ device types worldwide
MediumClayRat: A New Android Spyware Targeting Russia
MediumAdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies
MediumSophisticated Malware Deployed in Oracle EBS Zero-Day Attacks
MediumThreatFox IOCs for 2025-10-09
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.