Security researchers have uncovered a Vietnamese threat group evolving from their custom PXA Stealer campaign into a multi-layered delivery chain dropping PureRAT, a feature-rich remote access trojan.
According to a Huntress analysis, the group operates ten separate payload stages, including phishing lures, obfuscated loaders, registry persistence, AMSI and ETW patching, and TLS-pinned command and control(C2).
“The way they chained loaders, mixed in different encryption schemes, and pivoted into PureRAT feels intentional—it’s about buying time,” said Anna Pham, senior hunt and response analyst at Huntress and a contributor on the report. “This isn’t smash-and-grab malware. It’s a sign the group wants staying power inside environments.”
PXA Stealer has been around as a Python-based infostealer, tied to the Telegram alias @LoneNone, and previously used for harvesting credentials and browser data.
Commodity malware wrapped in a complex chain
PureRAT itself is not new–it’s a commodity RAT marketed as a remote administration toolkit with features like hidden desktop access (HVNC/HRDP), microphone and webcam spying, registry management, and even cryptowallet monitoring. But what distinguishes the PXA campaign is the elaborate delivery sequence that surrounded it.
The infection began with a phishing lure disguised as a copyright infringement notice, ultimately pulling Python loaders hidden inside renamed executables, Huntress researchers said in a disclosure shared with CSO ahead of its publication on Thursday. Each stage unpacked or decrypted the next, layering Base84, AES, RC4, and XOR encoding on top of one another. Later phases shifted to .NET assemblies that process hallowing and reflective loading to stay under the radar. By the time PureRAT was finally deployed, defenders had to untangle nearly a dozen payloads.
“This is definitely a step up in maturity,” Pham noted, pointing to the use of AMSI patching and TLS certificate pinning for evasion. “It doesn’t make them unique, but it does put them firmly in the pool of threat actors investing in sustainable access rather than quick hits.”
The strategy of chaining loaders and defense bypass has become increasingly common as mid-tier groups try to frustrate analysis. PureRAT’s configuration data, including pinned x.509 certificates and ports tied to a Vietnamese C2 server, revealed operators’ attempts to keep their presence hidden.
Telegram and the Vietnamese infrastructure led to attribution
Metadata within exfiltrated ZIP archives pointed to @LoneNone, a Telegram handle previously associated with PXA Stealer. That same alias had appeared in earlier Cisco and SentinelOne reporting, and Validin also tied PureRAT infrastructure to Vietnamese actors, researchers noted.
James Northey, SOC analyst and lead author of the report, emphasized the progression: “The Cisco report back in December shows a less sophisticated chain of events. What we (and SentinelOne) discovered is a clear progression in threat actor’s TTPs in a relatively short time frame (I found this in May). They were relatively unknown six months ago, and now they have some very stealthy malware being combined with a powerful commodity RAT.”
The convergence of multiple factors–Telegram infrastructure, Vietnamese C2 servers, and familiar operator tradecraft–gave Huntress confidence in linking the activity to PXA. The SOC team was able to remediate the intrusion before PureRAT modules could be fully deployed, researchers added.
Pham noted that this isn’t an isolated case. “More mid-tier groups are blending commodity malware with loaders, layering in obfuscation and defense bypasses that were once more closely associated with sophisticated threat actors. We expect to see more “commodity-plus” campaigns where MaaS like PureRAT are wrapped in complex delivery chains,” she said.
Robert Knapp, director of SOC, Huntress, sees PXA’s evolving TTPs as part of the ongoing “cat and mouse” dynamic between defenders and threat actors. Pointing out a silver lining to this growing sophistication, he said, “This reflects what Huntress has seen throughout our existence — threat actors continuing to mature their tactics as a direct result of our defensive capabilities increasing in their effectiveness.”
No Responses