A Vietnamese cybercrime group is using artificial intelligence to write malicious code in an ongoing phishing campaign that distributes the PureRAT malware through fake job opportunities.
The campaign, initially detected in December 2025, represents a concerning evolution in threat actor capabilities, combining social engineering tactics with machine-generated attack tools to compromise organizations worldwide.
The attacks begin with phishing emails disguised as legitimate employment offers from well-known companies. These messages contain ZIP archives named after job-related topics, such as “New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip” or “Salary and Benefits Package.zip.”
When recipients open these archives, they trigger an infection chain that eventually installs PureRAT or other malicious payloads like hidden virtual network computing (HVNC) tools.
The campaign targets diverse organizations across multiple industries, suggesting the attackers may be selling access to compromised networks rather than conducting targeted espionage.
After analyzing the attack tools, Symantec researchers identified multiple indicators that the malicious scripts were created using artificial intelligence.
The batch files and Python code contained detailed Vietnamese-language comments explaining each step, numbered instructions, and even emoji symbols in code remarks—characteristics commonly associated with AI-generated programming.
This level of documentation is rarely seen in manually written malware scripts, making the AI authorship particularly evident.
The malicious archives typically contain legitimate executables repurposed for DLL sideloading attacks. Files such as “adobereader.exe” or “Salary_And_Responsibility_Table.exe” are used to load harmful DLLs including oledlg.dll, msimg32.dll, version.dll, and profapi.dll.
These DLLs act as loaders for the final payload, establishing persistence and maintaining stealth throughout the infection process.
How PureRAT Establishes Persistence
Once executed, the malicious batch script creates a hidden directory under the Windows %LOCALAPPDATA%Google Chrome folder to conceal its presence from users.
The script then renames benign-looking files like “document.pdf” and “document.docx” into archive formats, extracts the contents using embedded compression tools with the password “[email protected],” and executes a Python-based payload.
This payload fetches Base64-encoded malicious code from remote command-and-control servers operated by the attackers.
To maintain long-term access, the malware adds itself to the Windows Registry Run key under the name “ChromeUpdate,” ensuring it executes automatically every time the system starts.
After establishing persistence, the script opens a legitimate PDF document from the hidden directory to deceive victims into believing they simply opened a normal file.
This technique reduces suspicion and allows the malware to operate undetected while stealing data or providing remote access to the compromised system.
The Vietnamese origin of the threat actor is evident through multiple indicators beyond the language used in code comments. Passwords containing “@dev.vn” domains and GitLab accounts with Vietnamese usernames reinforce the attribution.
Symantec Endpoint products now detect and block the identified malicious files, providing protection against this evolving threat campaign.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
