All news with #pxa stealer tag

Phishing-to-PureRAT: Vietnamese Actor Upgrades Stealer

🛡️ Huntress researchers uncovered a multi-stage phishing operation that began with a Python-based infostealer and culminated in the deployment of PureRAT. The campaign used a ZIP lure containing a signed PDF reader and a malicious version.dll to achieve DLL sideloading, then progressed through ten staged loaders that shifted from obfuscated Python to compiled .NET binaries. Attackers used process hollowing against RegAsm.exe, patched Windows defenses (AMSI and ETW), and ultimately unpacked PureRAT, which communicates over encrypted C2 channels and can load additional modules. Metadata linking the activity to the handle @LoneNone and to the PXA Stealer family, plus a C2 server traced to Vietnam, supports attribution to Vietnamese threat actors.

PXA Stealer Upgrades to Multi-Layer Chain Deploying PureRAT

🔒 A Vietnamese threat group has evolved its custom PXA Stealer campaign into a multi-layered delivery chain that ultimately deploys PureRAT, a feature-rich remote access trojan. Huntress analysts describe a ten-stage sequence beginning with a phishing copyright lure and proceeding through obfuscated Python loaders, layered encoding (Base84, AES, RC4, XOR), and .NET reflective loading. The chain includes AMSI and ETW patching, TLS certificate pinning, registry persistence, and hallowing techniques to evade detection. Huntress linked the activity to the Telegram handle @LoneNone and Vietnamese C2 infrastructure and remediated an intrusion before full module deployment.