A Vietnamese cybercrime group is leveraging artificial intelligence to craft malicious code within an ongoing phishing campaign that distributes the PureRAT malware. This sophisticated operation utilizes AI-generated content to disguise fake job opportunities, aiming to compromise organizations globally. The campaign, first identified in December 2025, marks a significant advancement in threat actor tactics, blending social engineering with machine-produced attack tools.
The attacks commence with phishing emails meticulously designed to appear as legitimate employment offers from reputable companies. These messages typically contain ZIP archives bearing job-related filenames, such as “New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip” or “Salary and Benefits Package.zip.” Upon opening these archives, unsuspecting recipients initiate an infection chain that ultimately deploys PureRAT or other malicious payloads, including hidden virtual network computing (HVNC) tools.
How Threat Actors Use AI to Deploy PureRAT
The campaign targets a wide array of organizations across various industries. This broad scope suggests that the attackers may be primarily involved in selling access to compromised networks rather than engaging in highly specific espionage activities. Researchers from Symantec have uncovered compelling evidence indicating that the malicious scripts were generated using artificial intelligence.
Analysis of the attack tools revealed multiple indicators of AI authorship. The batch files and Python code feature detailed comments written in Vietnamese, explaining each step of the process. These comments often include numbered instructions and even emoji symbols, characteristics frequently associated with AI-generated programming. This level of extensive documentation is uncommon in manually crafted malware scripts, making the AI origin particularly notable.
The malicious archives commonly employ legitimate executables for DLL sideloading attacks. Files like “adobereader.exe” or “Salary_And_Responsibility_Table.exe” are used to load harmful DLLs, including oledlg.dll, msimg32.dll, version.dll, and profapi.dll. These DLLs serve as loaders for the final malware payload, facilitating persistence and maintaining a low profile throughout the infection lifecycle.
How PureRAT Establishes Persistence
Once executed, a malicious batch script creates a hidden directory within the Windows %LOCALAPPDATA%Google Chrome folder to conceal its presence from users. The script then renames seemingly legitimate files, such as “document.pdf” and “document.docx,” into archive formats. Using embedded compression tools with the password “[email protected],” it extracts the malicious contents and executes a Python-based payload.
This payload is designed to retrieve Base64-encoded malicious code from remote command-and-control (C2) servers operated by the threat actors. To ensure long-term access, the malware adds an entry to the Windows Registry Run key, naming it “ChromeUpdate.” This ensures the malware automatically executes every time the system starts.
Following the establishment of persistence, the script opens a legitimate PDF document from the hidden directory. This action is intended to deceive victims, making them believe they have simply opened a normal file. This deception significantly reduces suspicion, allowing the malware to operate undetected while it proceeds to exfiltrate data or provide remote access to the compromised system.
Multiple indicators point to the Vietnamese origin of the threat actors beyond the language used in the code comments. Passwords incorporating “@dev.vn” domains and GitLab accounts associated with Vietnamese usernames further reinforce this attribution. Symantec Endpoint products are actively detecting and blocking the identified malicious files, offering protection against this evolving threat campaign.
The increasing sophistication of AI in cybercrime operations, as demonstrated by this PureRAT campaign, underscores the need for enhanced cybersecurity defenses. Organizations should remain vigilant, implementing robust email filtering, user awareness training, and up-to-date endpoint security solutions. The continuous evolution of these tactics implies that future attacks may involve even more complex and deceptive methodologies, demanding adaptive and proactive security strategies.