A recent investigation has revealed a phishing campaign that began with a simple Python-based infostealer but ultimately led to the deployment of PureRAT, a full-featured commodity remote access trojan (RAT).
The research, published by Huntress, highlights how the attackers evolved from using custom scripts to leveraging a sophisticated, commercially available tool.
Chain of Attack
The operation started with phishing emails containing a ZIP archive disguised as a copyright notice. Inside was a signed PDF reader executable and a malicious version.dll, enabling the attackers to use DLL sideloading. This launched a chain of 10 stages, gradually escalating in complexity with layers of loaders, encryption and persistence mechanisms.
What set this campaign apart was the transition in stage 3 from Python scripts to compiled .NET executables.
The attackers used process hollowing against RegAsm.exe, patched Windows defenses such as AMSI and ETW and unpacked further payloads until the final DLL was revealed as PureRAT. This trojan provides attackers with encrypted command-and-control channels, host fingerprinting and the ability to load additional malicious modules.
Tracing the Operation
Earlier stages focused on credential theft and data harvesting from browsers like Chrome and Firefox.
Stolen information was packaged into ZIP files and sent through the Telegram Bot API. Metadata linked to the handle @LoneNone connected the campaign to the PXA Stealer family, previously associated with Vietnamese threat actors.
The command-and-control server for PureRAT was also traced to Vietnam, reinforcing this attribution.
Read more on PureRAT: Accounting Firm Targeted by Malware Campaign Using New Crypter
Defensive Lessons
The campaign demonstrates the use of multiple evasion techniques, including sideloaded DLLs, certutil-based decoding, obfuscated Python loaders and reflective loading of .NET assemblies.
Huntress noted that detecting such activity requires monitoring behaviors rather than relying on a single defensive measure. Indicators include:
-
Suspicious use of certutil.exe for decoding files
-
Legitimate executables running from unusual directories such as C:UsersPublicWindows
-
Process hollowing of RegAsm.exe
-
Outbound TLS connections pinned with attacker-controlled certificates
“This campaign underscores the importance of defense-in-depth. The initial access relied on user execution, the loaders exploited trusted and system binaries, and the final stage used defense evasion to remain hidden,” the company wrote.
“No single control could have stopped this entire chain. By understanding the full lifecycle of the attack and monitoring for the specific behaviors outlined here, from certutil abuse to WMI queries and encrypted C2 traffic, organizations can build a more resilient security posture.”
