TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

A Vietnamese threat actor's shift from PXA Stealer to PureRAT

2025-09-25 · Read original ↗

ATT&CK techniques detected

18 predictions
T1055.012Process Hollowing
99%
“a. net assembly that is decrypted using base64 and an rc4 hardcoded key. the threat actor then uses process hollowing by launching a legitimate. net utility, regasm. exe, in a suspended state. it unmaps the original executable code from the process ' s memory, allocates a new reg…”
T1055.012Process Hollowing
99%
“metadata contains a clue to who might be behind this attack. a contact field pointing to the telegram handle @ lonenone. this handle has been publicly associated with the pxa stealer malware family, giving us a strong attribution link. figure 8 : recreation of the archive creatio…”
T1055.001Dynamic-link Library Injection
95%
“dll is protected with. net reactor, a commercial obfuscator used to frustrate reverse engineering. figure 15 : die showing the assembly has been obfuscated by. net reactor static analysis is a dead end, so we turn to deobfuscation. using an open - source tool called netreactorsla…”
T1555.003Credentials from Web Browsers
89%
“##l shorteners ( is [. ] gd ) to dynamically fetch and execute the next payload, providing the threat actor with a flexible mechanism for updating their attack chain. figure 6 : recreation of the loader for stage 2 note the use of sys. argv [ 1 ] here ; in our case, this is the a…”
T1059.006Python
83%
“this functionality in our own python script allows us to run this payload through dis again. note : from here on, i have converted the dis output to source code to more easily explain the following sections. for an in - memory attack like this, the threat actor must ensure their …”
T1204.002Malicious File
78%
“beginning this analysis, sentinellabs and beazley security have published an excellent report covering stage 1 and 2. it ’ s well worth a read for additional context, though the material from stage 3 ( purerat ) remains unique to this write - up, so stick around for that. in - de…”
T1055.001Dynamic-link Library Injection
76%
“key defense evasion techniques : figure 11 : floss output of the. net assembly - amsi patching : it patches the amsiscanbuffer function in amsi. dll to prevent the antimalware scan interface from inspecting dynamically loaded code. - etw unhooking : it patches etweventwrite in nt…”
T1588.001Malware
72%
“monitoring ( e. g., browsers, outlook, telegram, steam ). it includes management tools like file, process, registry, network, and startup managers, plus capabilities for ddos attacks, reverse proxying,. net code injection, streaming bot management, and execution of files in memor…”
T1055.001Dynamic-link Library Injection
69%
“→ xor with key ) : figure 13 : cyberchef recipe to extract the next payload payload 8 this payload uses aes - 256 and gzip decompression to unpack the ninth and final stage : a dll named mhgljosy. dll. instead of relying on traditional exports, the loader uses. net reflection ( a…”
T1055.001Dynamic-link Library Injection
60%
“- ibck - y invoice. pdf c : \ users \ public & & start c : \ users \ public \ windows \ svchost. exe c : \ users \ public \ windows \ lib \ images. png adn _ uzjomrp3vpmujoh4bot payload 2 the python script images. png ( not images. png, the winrar binary ) is a loader that contai…”
T1204.002Malicious File
59%
“- coded stealer to a commercial rat like purerat is significant. it lowers the barrier to entry for the attacker, giving them access to a stable, feature - rich, and “ professionally ” maintained toolkit without requiring extensive development effort. the impact is a more resilie…”
T1140Deobfuscate/Decode Files or Information
54%
“uses certutil. exe to decode a base64 - encoded blob hidden inside a file named document. pdf, which results in a zip archive. it then uses a bundled, renamed copy of winrar ( images. png ) to extract the contents. from this secondary archive, the files are extracted to c : \ use…”
T1056.001Keylogging
39%
“c2 is established, the rat transitions into its primary function : a persistent tasking loop designed to receive and execute commands. figure 31 : task loop awaiting further payloads the task loop is fairly straightforward once unpacked : - ( red ) read the first 4 bytes to deter…”
T1027Obfuscated Files or Information
38%
“- ibck - y invoice. pdf c : \ users \ public & & start c : \ users \ public \ windows \ svchost. exe c : \ users \ public \ windows \ lib \ images. png adn _ uzjomrp3vpmujoh4bot payload 2 the python script images. png ( not images. png, the winrar binary ) is a loader that contai…”
T1033System Owner/User Discovery
37%
“##cation of the method names. figure 20 : obfuscated system enumeration once deobfuscated, we find that this consists of an exhaustive fingerprinting of the host machine, collecting a wealth of information before sending it back to the c2 server. figure 21 : deobfuscated system e…”
T1055.001Dynamic-link Library Injection
37%
“beginning this analysis, sentinellabs and beazley security have published an excellent report covering stage 1 and 2. it ’ s well worth a read for additional context, though the material from stage 3 ( purerat ) remains unique to this write - up, so stick around for that. in - de…”
T1055.001Dynamic-link Library Injection
36%
“a vietnamese threat actor ' s shift from pxa stealer to purerat background an investigation into what appeared at first glance to be a “ standard ” python - based infostealer campaign took an interesting turn when it was discovered to culminate in the deployment of a full - featu…”
T1082System Information Discovery
31%
“##cation of the method names. figure 20 : obfuscated system enumeration once deobfuscated, we find that this consists of an exhaustive fingerprinting of the host machine, collecting a wealth of information before sending it back to the c2 server. figure 21 : deobfuscated system e…”

Summary

Trace a threat actor's journey from custom Python stealers to a sophisticated commodity RAT. Learn how their tactics evolved and why this shift to .NET matters.