{"id":5036,"date":"2025-09-25T13:00:00","date_gmt":"2025-09-25T13:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5036"},"modified":"2025-09-25T13:00:00","modified_gmt":"2025-09-25T13:00:00","slug":"evolved-pxa-stealer-wraps-purerat-in-multi-layer-obfuscation","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5036","title":{"rendered":"Evolved PXA Stealer wraps PureRAT in multi-layer obfuscation"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security researchers have uncovered a Vietnamese threat group evolving from their custom PXA Stealer campaign into a multi-layered delivery chain dropping PureRAT, a feature-rich remote access trojan.<\/p>\n

According to a Huntress analysis, the group operates ten separate payload stages, including phishing lures, obfuscated loaders, registry persistence, AMSI and ETW<\/a> patching, and TLS-pinned command and control(C2).<\/p>\n

\u201cThe way they chained loaders, mixed in different encryption schemes, and pivoted into PureRAT feels intentional\u2014it\u2019s about buying time,\u201d said Anna Pham, senior hunt and response analyst at Huntress and a contributor on the report. \u201cThis isn\u2019t smash-and-grab malware. It\u2019s a sign the group wants staying power inside environments.\u201d<\/p>\n

PXA Stealer has been around as a Python-based infostealer, tied<\/a> to the Telegram alias @LoneNone, and previously used for harvesting credentials and browser data.<\/p>\n

<\/a>Commodity malware wrapped in a complex chain<\/h2>\n

PureRAT itself is not new\u2013it\u2019s a commodity RAT marketed as a remote administration toolkit with features like hidden desktop access (HVNC\/HRDP), microphone and webcam spying, registry management, and even cryptowallet monitoring. But what distinguishes the PXA campaign is the elaborate delivery sequence that surrounded it.<\/p>\n

The infection began with a phishing lure disguised as a copyright infringement notice, ultimately pulling Python loaders hidden inside renamed executables, Huntress researchers said in a disclosure shared with CSO ahead of its publication on Thursday. Each stage unpacked or decrypted the next, layering Base84, AES, RC4, and XOR encoding on top of one another. Later phases shifted to .NET assemblies that process hallowing and reflective loading to stay under the radar. By the time PureRAT was finally deployed, defenders had to untangle nearly a dozen payloads.<\/p>\n

\u201cThis is definitely a step up in maturity,\u201d Pham noted, pointing to the use of AMSI patching and TLS certificate pinning for evasion. \u201cIt doesn\u2019t make them unique, but it does put them firmly in the pool of threat actors investing in sustainable access rather than quick hits.\u201d<\/p>\n

The strategy of chaining loaders and defense bypass has become increasingly common as mid-tier groups<\/a> try to frustrate analysis. PureRAT\u2019s configuration data, including pinned x.509 certificates and ports tied to a Vietnamese C2 server, revealed operators\u2019 attempts to keep their presence hidden.<\/p>\n

Telegram and the Vietnamese infrastructure led to attribution<\/h2>\n

Metadata within exfiltrated ZIP archives pointed to @LoneNone, a Telegram handle previously associated with PXA Stealer. That same alias had appeared in earlier Cisco<\/a> and SentinelOne<\/a> reporting, and Validin<\/a> also tied PureRAT infrastructure to Vietnamese actors, researchers noted.<\/p>\n

James Northey, SOC analyst and lead author of the report, emphasized the progression: \u201cThe Cisco report back in December shows a less sophisticated chain of events. What we (and SentinelOne) discovered is a clear progression in threat actor\u2019s TTPs in a relatively short time frame (I found this in May). They were relatively unknown six months ago, and now they have some very stealthy malware being combined with a powerful commodity RAT.\u201d<\/p>\n

The convergence of multiple factors\u2013Telegram infrastructure, Vietnamese C2 servers, and familiar operator tradecraft\u2013gave Huntress confidence in linking the activity to PXA. The SOC team was able to remediate the intrusion before PureRAT modules could be fully deployed, researchers added.<\/p>\n

Pham noted that this isn\u2019t an isolated case. \u201cMore mid-tier groups are blending commodity malware with loaders, layering in obfuscation and defense bypasses that were once more closely associated with sophisticated threat actors. We expect to see more \u201ccommodity-plus\u201d campaigns where MaaS like PureRAT are wrapped in complex delivery chains,\u201d she said. <\/p>\n

Robert Knapp, director of SOC, Huntress, sees PXA\u2019s evolving TTPs as part of the ongoing \u201ccat and mouse\u201d dynamic between defenders and threat actors. Pointing out a silver lining to this growing sophistication, he said, \u201cThis reflects what Huntress has seen throughout our existence \u2014 threat actors continuing to mature their tactics as a direct result of our defensive capabilities increasing in their effectiveness.\u201d\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security researchers have uncovered a Vietnamese threat group evolving from their custom PXA Stealer campaign into a multi-layered delivery chain dropping PureRAT, a feature-rich remote access trojan. According to a Huntress analysis, the group operates ten separate payload stages, including phishing lures, obfuscated loaders, registry persistence, AMSI and ETW patching, and TLS-pinned command and control(C2). […]<\/p>\n","protected":false},"author":0,"featured_media":5037,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5036","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5036"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5036"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5036\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5037"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5036"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5036"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5036"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}