Full Report
Vietnam-based cybercrime actor appears to now be using AI to write scripts used in phishing campaigns
Analysis Summary
# Threat Actor: Vietnam-based Cybercrime Actor (Associated with PureRAT)
## Attribution & Identity
* **Primary Identification:** Vietnam-based cybercrime actor.
* **Known Associations:** This actor is documented as using and distributing the **PureRAT** malware. The campaign was initially documented by Trend Micro in December 2025 (referred to as the ValleyRat campaign).
* **Note:** The actor may be selling access to compromised organizations to other threat actors.
## Activity Summary
This threat actor is conducting ongoing phishing campaigns, which are notable for the apparent use of Artificial Intelligence (AI) to write or assist in developing malicious scripts. These campaigns begin with phishing emails leveraging **job offers or opportunities** as lures. Recent activity shows a shift from direct malicious attachments (ZIP/RAR) to hosting files on cloud storage like Dropbox, potentially to bypass gateway security filters. The infection chain leads to the installation of PureRAT or other payloads like a High-Visibility Network Remote Access Tool (HVNC).
## Tactics, Techniques & Procedures
The actor employs a multi-stage infection chain:
* **Delivery:** Phishing emails disguised as job offers, containing links to legitimate cloud services (e.g., Dropbox) to download malicious archives (ZIP/RAR).
* **Initial Execution:** Archives contain an executable used for DLL sideloading.
* Frequently uses legitimate-looking executables to masquerade, such as renamed Haihaisoft PDF Reader or older Microsoft Excel versions (Trend previously noted Foxit PDF reader).
* Examples of executable names: `adobereader.exe`, `Salary and Benefits Package.EXE`.
* **DLL Sideloading:** Malicious DLLs are sideloaded via the compromised executable.
* Malicious DLL filenames observed: `oledlg.dll`, `msimg32.dll`, `version.dll`, and `profapi.dll`.
* **Script Execution (AI-assisted):** The sideloaded DLLs act as loaders for malicious batch scripts.
* **AI Usage:** One analyzed batch script displayed characteristics suggesting AI authorship (e.g., detailed comments, numbered steps, and debug messages directed to the attacker).
* **Post-Infection Chain (Example Batch Script):**
1. Creates a hidden directory under `%LOCALAPPDATA%\Google Chrome`.
2. Renames locally stored innocent files (`document.pdf`, `document.docx`) to malicious names (`huna.zip`, `huna.exe`).
3. Uses a renamed 7zip/WinRAR executable (`huna.exe`) to extract `huna.zip` into the hidden Chrome directory using a hardcoded password (`[email protected]`).
4. Executes a Python command via a benign-looking executable (`zvchost.exe`) to decode and run a remote command/payload from a specified IP address.
5. Establishes persistence by adding an entry to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` under the name "ChromeUpdate".
* **Malware Payload:** PureRAT or HVNC.
## Targeting
* **Sectors:** Implied corporate/professional sectors relevant to job applicants. Specific targets are not explicitly named, but the job lures imply targeting employees or IT staff.
* **Geography:** Indicated as **Vietnam-based actor**, but the phishing lures suggest a global target audience (based on generic job titles and document names referencing international companies like OPPO, SAMSUNG, Duolingo, and Henkel-AG).
* **Victims:** General users receiving job-related phishing, potentially resulting in corporate network compromise.
## Tools & Infrastructure
* **Malware Families Used:** PureRAT, HVNC (High-Visibility Network Remote Access Tool).
* **Infrastructure & Domains:**
* **Droppers/Delivery:** Dropbox links (e.g., `dl.dropboxusercontent[.]com/scl/fi/...`).
* **C2/Payload Retrieval:**
* `196.251.86[.]145` (Used in the Python decode command).
* `dmca-wipo[.]com`
* `ginten555333[.]com` (hosting libraries for Python code/unzip tools).
* **IPs Observed:** `139.99.17[.]175`, `144.172.116[.]103`, `139.99.17[.]184`, `217.217.253[.]186`, `116.202.214[.]234`, `103.166.185[.]228`, `15.235.172[.]166`, `192.30.139[.]187`.
* **Observed Archive Names:** `New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip`, `Global_Ads_Strategy_Role_Summary.zip`, `Duolingo_Marketing_Skills_Assessment_oct.zip`, etc.
## Implications
The actor's adoption of AI tools to generate attack scripts significantly lowers the technical bar required for sophisticated, multi-stage malware delivery. This suggests an increased volume and potentially higher complexity of attacks from actors who previously relied on simpler methods. If the actor is selling access, their activities act as a force multiplier, enabling other, potentially more destructive, threat groups to utilize their initial access points.
## Mitigations
* **Email Gateway Security:** Deploy advanced email filtering capable of detecting suspicious links leading to cloud storage, particularly when archives or scripts are involved.
* **Endpoint Detection & Response (EDR):** Implement EDR solutions capable of detecting unusual process activity, specifically DLL sideloading techniques and unauthorized batch script execution.
* **Application Control/Whitelisting:** Restrict the execution of unknown or suspicious executables, especially those attempting to sideload DLLs or interact with system utilities like 7zip/WinRAR in strange contexts.
* **Persistence Monitoring:** Actively monitor the registry for new entries under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` that point to non-standard paths (like within `%LOCALAPPDATA%`).
* **User Education:** Emphasize social engineering awareness regarding unsolicited job offers, especially those requiring unusual download or archive extraction procedures. Employees should be suspicious of files downloaded from cloud links rather than direct email attachments.