Vietnamese Threat Actor Uses AI to Develop PureRAT Malware in Job-Themed Phishing Campaign

A Vietnamese cybercrime actor is using artificial intelligence to develop malware tools powering an ongoing phishing campaign that delivers PureRAT and other payloads through fake job opportunity lures, according to research published by Symantec.

Multiple tools used by the attacker bear hallmarks of AI-assisted development, including detailed comments with numbered steps in scripts, emoji usage in code comments, and debug messages containing instructions for the attacker. The campaign provides further evidence that AI is lowering the barrier to entry for less-skilled attackers to build sophisticated attack toolkits.

Job-Themed Phishing Lures

The campaign begins with phishing emails masquerading as job opportunities from major brands. Recent examples include lures referencing OPPO, Samsung, Henkel, Duolingo, and American Giant. The attacker appears to be targeting jobseekers across multiple countries in hopes they open emails on work computers, potentially providing initial access to corporate networks.

While earlier iterations of the campaign used malicious ZIP or RAR attachments, recent samples are hosted on Dropbox. The shift suggests the attacker believes downloads from known cloud services are less likely to raise red flags than direct attachments.

Malicious archive filenames observed include New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip, SAMSUNG_OLED_G5_Marketing_Dossier.zip, Duolingo_Marketing_Skills_Assessment_oct.zip, and Advertising_and_Marketing_Henkel-AG_Smartwash.zip.

AI Fingerprints in Malicious Code

The archives contain executables used to sideload malicious DLLs, often abusing legitimate software including Haihaisoft PDF Reader and older versions of Microsoft Excel. The DLLs act as loaders for batch scripts that Symantec researchers assessed were very likely authored using AI.

One batch script analyzed contained detailed Vietnamese comments explaining virtually every step of execution, a level of documentation rare outside AI-generated code and particularly unusual in malware, which typically contains minimal or no comments.

A second variant contained even more evidence of AI assistance, including emoji characters in code comments. Researchers noted that many AI models have a tendency to insert emojis in code because they have been trained on data from social platforms like Reddit.

The batch scripts create hidden directories, rename files to evade detection, extract payloads using hardcoded passwords, establish persistence through registry Run keys or scheduled tasks, and open benign PDF documents to maintain the illusion of legitimacy.

Python Loaders Also AI-Generated

Beyond batch scripts, several Python payloads used to load HVNC malware also showed strong indicators of AI authorship. The code featured numbered steps with explanatory comments in mixed Vietnamese and English, along with debug messages containing instructions for the attacker such as "Remember to paste the base64-encoded HVNC shellcode here."

The Python loaders create suspended processes using legitimate Windows binaries like InstallUtil.exe, allocate memory, inject shellcode, and execute payloads entirely in memory to evade detection.

Attribution to Vietnamese Actor

Multiple indicators point to a Vietnamese threat actor. Code comments are written in Vietnamese, and three passwords used by the attackers contain @dev.vn addresses: huna@dev.vn, hwan@dev.vn, and hwanxkiem@dev.vn.

Hwanxkiem appears to be a phonetic variation of Hoàn Kiếm, a district in the Vietnamese capital Hanoi. One filename used by the attacker, nvmeikxnawh.zip, contains Hwanxkiem reversed. The GitLab account used for payload hosting, gitlab[.]com/kimxhwan, is another variation with syllables reversed.

The name "Huna" appears consistently in filenames and passwords and may be a handle used by the attacker.

Cybercrime Motivation

The motivation appears to be financial rather than espionage. The wide range of targeted organizations and varied lures suggests broad opportunistic targeting rather than focused campaigns against specific entities.

Symantec assesses the attacker may be using malware payloads to obtain footholds on corporate networks and subsequently sell access to other threat actors, a common cybercrime business model.

Continuously Evolving Toolset

The attacker appears to be actively refining their attack chain. Researchers found multiple variants of scripts with infrastructure regularly rotated. In some cases payloads were downloaded from hardcoded IP addresses, while others used GitLab for hosting.

The campaign demonstrates how AI is becoming a force multiplier for cybercriminals, enabling less technical actors to develop and iterate on sophisticated attack tools more rapidly than previously possible.

Indicators of Compromise

Network infrastructure includes multiple IP addresses serving payloads: 196.251.86[.]145, 139.99.17[.]175, 139.99.17[.]184, 217.217.253[.]186, 116.202.214[.]234, and 51.79.214[.]125. Malicious domains include dmca-wipo[.]com and ginten555333[.]com. Payloads are also hosted on GitLab at gitlab[.]com/kimxhwan and distributed via Dropbox links.

File indicators include numerous batch scripts, sideloaded DLLs with names including oledlg.dll, msimg32.dll, version.dll, and profapi.dll, and Python HVNC payloads. Organizations should monitor for suspicious execution of renamed PDF readers and archive utilities, hidden directories under %LOCALAPPDATA%\Google Chrome, and persistence mechanisms masquerading as ChromeUpdate.