A Vietnamese threat actor's shift from PXA Stealer to PureRAT
Essential information
- Published
- 10/10/2025 08:25
- Modified
- 10/10/2025 08:57
- Tags
- 2025-10-10 pureclipper purecrypter pureminer purerat pxa stealer remote access trojan vietnamese threat actor
- Related entities
- 4 observables, 1 intrusion sets (apt), 14 techniques (mitre), 7 malware
Description
A Vietnamese threat actor has transitioned from using the PXA Stealer to deploying PureRAT, a commercial remote access trojan. The attack chain involves multiple stages, including phishing emails, Python-based infostealers, and .NET loaders. The campaign demonstrates a progression in complexity, utilizing DLL sideloading, obfuscation techniques, and defense evasion methods. The final payload, PureRAT, provides the attacker with extensive control over compromised systems. The threat actor's shift to commodity malware indicates a maturing operation, lowering the barrier for sophisticated attacks. This evolution highlights the need for robust, multi-layered defense strategies to counter such adaptable threats.