A Vietnamese threat actor's shift from PXA Stealer to PureRAT

Oct. 10, 2025, 8:57 a.m.

Description

A Vietnamese threat actor has transitioned from using the PXA Stealer to deploying PureRAT, a commercial remote access trojan. The attack chain involves multiple stages, including phishing emails, Python-based infostealers, and .NET loaders. The campaign demonstrates a progression in complexity, utilizing DLL sideloading, obfuscation techniques, and defense evasion methods. The final payload, PureRAT, provides the attacker with extensive control over compromised systems. The threat actor's shift to commodity malware indicates a maturing operation, lowering the barrier for sophisticated attacks. This evolution highlights the need for robust, multi-layered defense strategies to counter such adaptable threats.

External References

https://www.huntress.com/blog/purerat-threat-actor-evolution
https://otx.alienvault.com/pulse/68e8c2e51d4e583ce113cce3
Tags
purecrypter
remote access trojan
purerat
pxa stealer
pureminer
2025-10-10
pureclipper
vietnamese threat actor

Date

  • Created: Oct. 10, 2025, 8:25 a.m.
  • Published: Oct. 10, 2025, 8:25 a.m.
  • Modified: Oct. 10, 2025, 8:57 a.m.

Indicators

  • f6ed084aaa8ecf1b1e20dfa859e8f34c4c18b7ad7ac14dc189bc1fc4be1bd709
  • f5e9e24886ec4c60f45690a0e34bae71d8a38d1c35eb04d02148cdb650dd2601
  • 06fc70aa08756a752546198ceb9770068a2776c5b898e5ff24af9ed4a823fd9d
  • 157.66.26.209
Download all indicators here!

Attack Patterns

  • PureClipper
  • BlueLoader
  • PXA Stealer
  • PureMiner
  • PureRAT
  • PureLogs Stealer
  • PureCrypter
  • PXA Stealer group