Cybercriminals Exploit AI to Craft Deceptive Job Offers, Deploying PureRAT Malware
In a concerning development, a Vietnamese cybercrime group has been leveraging artificial intelligence (AI) to craft sophisticated phishing campaigns that distribute the PureRAT malware through fraudulent job offers. This campaign, first identified in December 2025, signifies a troubling advancement in cybercriminal tactics, merging social engineering with AI-generated malicious code to infiltrate organizations globally.
The Phishing Tactics
The attackers initiate their scheme by sending phishing emails that masquerade as legitimate employment opportunities from reputable companies. These emails include ZIP archives with enticing names related to job prospects, such as New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip or Salary and Benefits Package.zip. Unsuspecting recipients who open these archives inadvertently set off an infection chain that culminates in the installation of PureRAT or other malicious payloads, including hidden virtual network computing (HVNC) tools.
Targeted Industries and Objectives
The campaign’s reach spans various industries, indicating that the perpetrators might be selling access to compromised networks rather than engaging in targeted espionage. This broad targeting suggests a financially motivated operation aimed at maximizing the number of infected systems for potential profit.
AI-Generated Malicious Code
Upon analyzing the attack tools, researchers discovered multiple indicators pointing to the use of AI in generating the malicious scripts. The batch files and Python code were notably detailed, featuring Vietnamese-language comments that explained each step, numbered instructions, and even emoji symbols within the code remarks. Such comprehensive documentation is uncommon in manually written malware, making the AI-generated nature of the code particularly evident.
Technical Breakdown of the Attack
The malicious ZIP archives typically contain legitimate executables that have been repurposed for DLL sideloading attacks. Files named adobereader.exe or Salary_And_Responsibility_Table.exe are used to load harmful DLLs, including oledlg.dll, msimg32.dll, version.dll, and profapi.dll. These DLLs serve as loaders for the final payload, ensuring persistence and maintaining stealth throughout the infection process.
Establishing Persistence with PureRAT
Once executed, the malicious batch script creates a hidden directory within the Windows %LOCALAPPDATA%\Google Chrome folder to conceal its presence from users. The script then renames seemingly benign files like document.pdf and document.docx into archive formats, extracts their contents using embedded compression tools with the password [email protected], and executes a Python-based payload. This payload retrieves Base64-encoded malicious code from remote command-and-control servers operated by the attackers.
To maintain long-term access, the malware adds itself to the Windows Registry Run key under the name ChromeUpdate, ensuring it executes automatically each time the system starts. After establishing persistence, the script opens a legitimate PDF document from the hidden directory to deceive victims into believing they have merely opened a normal file. This tactic reduces suspicion and allows the malware to operate undetected while stealing data or providing remote access to the compromised system.
Indicators of Vietnamese Origin
Several indicators point to the Vietnamese origin of the threat actors. Beyond the language used in code comments, passwords containing @dev.vn domains and GitLab accounts with Vietnamese usernames further reinforce this attribution.
Implications and Recommendations
This campaign underscores the evolving landscape of cyber threats, where AI is increasingly utilized to enhance the sophistication and effectiveness of attacks. Organizations must remain vigilant and adopt comprehensive cybersecurity measures to defend against such advanced tactics.
