Listen to this Post
Introduction
A new phishing campaign linked to a Vietnamese threat actor is showing how artificial intelligence is reshaping cybercrime at street level. By abusing AI tools to generate polished scripts, detailed malware loaders, and convincing social engineering lures, the attacker has managed to distribute PureRAT malware through fake job offers. What makes this operation notable is not just the malware itself, but how AI has lowered the technical barrier, allowing relatively unsophisticated actors to deploy complex attack chains with professional-looking code and documentation.
Campaign Overview and Timeline
Security researchers from Trend Micro and Symantec began tracking the activity in December 2025. The campaign quickly stood out for its rapid evolution, frequent infrastructure changes, and unusually verbose code comments. Unlike traditional malware that prioritizes stealth, these tools appear almost instructional, suggesting they were heavily assisted—or directly produced—by AI systems trained on public coding and tutorial content.
Phishing Lures Aimed at Job Seekers
The attack begins with phishing emails disguised as legitimate job offers. Victims receive messages claiming to represent well-known brands such as OPPO, Samsung, Duolingo, and Henkel. These emails are carefully worded to appeal to job seekers, often referencing remote positions, marketing roles, or skill assessments that sound timely and realistic.
Malicious Attachments and Hosting Evolution
Early versions of the campaign relied on malicious ZIP and RAR attachments sent directly via email. More recent samples observed by Symantec shifted to cloud-hosted delivery, particularly using Dropbox links. This change helps bypass basic email security controls and increases the likelihood that recipients trust the download.
Deceptive File Naming Strategies
The downloaded archives use filenames designed to look authentic and urgent, such as “New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip” or “Duolingo_Marketing_Skills_Assessment_oct.rar.” These names closely mimic legitimate recruitment materials, increasing the chances that victims will open them on corporate or personal work machines.
Targeting Motive and Victim Profile
The broad, non-specific targeting suggests financial motivation rather than espionage. By compromising employees across different industries, the attacker likely aims to harvest corporate access that can later be sold on underground markets. This approach aligns with common initial-access broker activity rather than targeted intelligence collection.
DLL Side-Loading as the Entry Point
Once the archive is opened, the infection chain relies on DLL side-loading. Legitimate but outdated applications—such as Haihaisoft PDF Reader, older Microsoft Excel binaries, or Foxit PDF Reader—are repurposed as loaders. These trusted executables are bundled with malicious DLLs that execute when the application launches.
Disguised Executables and Malicious DLLs
Executables appear under misleading names like “Salary and Benefits Package.EXE” or “adobereader.exe.” The malicious DLLs use common system filenames such as oledlg.dll, msimg32.dll, version.dll, or profapi.dll, helping them blend into the Windows environment while loading attacker-controlled batch scripts.
AI-Generated Batch Scripts in Action
The batch scripts are one of the clearest indicators of AI assistance. In one example, the script hides inside the %LOCALAPPDATA%\Google Chrome directory, renames local files like “document.pdf” and “document.docx,” and repackages them into malicious archives. It then extracts payloads using hardcoded passwords such as “[email protected]
” and executes a Python-based loader downloaded from a remote IP address.
Persistence and Cleanup Techniques
After execution, the script establishes persistence by creating a Run key entry labeled “ChromeUpdate.” To reduce suspicion, it opens a decoy PDF for the victim and restores the original documents, creating the illusion that nothing unusual occurred.
Linguistic Clues and AI Hallmarks
The scripts include Vietnamese-language comments like “:: Tạo thư mục ẩn nếu chưa tồn tại” (Create hidden folder if it does not exist) and neatly numbered steps. Some variants even use emojis in comments, such as “✅ Kiểm tra tồn tại” and “🔥 CHẠY VỚI WORKING DIRECTORY ĐÚNG,” a strong indicator of AI models trained on social media and tutorial-style content.
Python Loaders and HVNC Payloads
The Python-based loaders follow the same pattern, featuring highly structured comments and step-by-step annotations. They instruct the operator where to paste Base64-encoded shellcode and inject it into suspended InstallUtil.exe processes. These loaders are used to deploy HVNC components alongside PureRAT, expanding the attacker’s control capabilities.
Rotating Infrastructure and Delivery Channels
To stay resilient, the actor rotates infrastructure frequently. Observed delivery points include hardcoded IP addresses, GitLab repositories, Dropbox links, and custom domains such as ginten555333[.]com. This diversity complicates takedown efforts and shortens detection windows.
Attribution Clues Pointing to Vietnam
Several artifacts strongly suggest Vietnamese origin. Passwords frequently use the @dev.vn format, and strings like “[email protected]
” and “[email protected]
” appear repeatedly. The name “Hwanxkiem” is a reversed reference to Hoàn Kiếm, a district in Hanoi. GitLab usernames and recurring terms like “Huna” further reinforce this assessment.
Rapid Tool Refinement and Payload Chaining
The threat actor demonstrates fast iteration, refining scripts and chaining multiple payloads within short timeframes. By combining PureRAT with HVNC modules, the attacker increases both surveillance and monetization options once access is gained.
Broader Trend: AI Lowers the Barrier
This campaign aligns with broader industry observations. Symantec and other security vendors have noted that AI enables low-skill attackers to generate functional malware, complete with debugging output and instructional comments—features rarely seen in manually written malicious code.
Defensive Guidance and IOCs
Symantec has released indicators of compromise covering batch scripts, DLLs, payloads, and even benign lure files like text2pdf.exe. Organizations are advised to update endpoint protection, block suspicious cloud-hosted downloads, scan compressed archives, and monitor unusual activity in user application directories.
Awareness Still Matters
Technical controls alone are not enough. Training employees to recognize job-related scams remains critical, especially as phishing emails become more polished and context-aware through AI assistance.
What Undercode Say:
This campaign is less about technical novelty and more about accessibility. AI has effectively democratized malware development, allowing attackers with limited expertise to produce attack chains that once required experienced developers. The presence of verbose comments, emojis, and instructional notes suggests these tools may even be reused or resold, turning malware into a semi-productized asset.
From a defensive perspective, this creates a paradox. While AI helps defenders automate detection and response, it also floods the threat landscape with higher volumes of “good enough” malware. Traditional heuristics that rely on sloppy code or obvious mistakes are becoming less reliable. Instead, defenders must look for behavioral signals—unexpected process injections, suspicious persistence mechanisms, and abnormal use of legitimate binaries.
The use of job-seeker lures is especially effective in today’s remote-first economy. Employees increasingly blur personal and professional boundaries, checking recruitment emails on corporate devices. That overlap creates fertile ground for initial access brokers. If this trend continues, we are likely to see AI-generated phishing kits sold as turnkey packages, further accelerating the pace of compromise.
Fact Checker Results
✅ Security firms Trend Micro and Symantec have publicly documented the campaign and its techniques.
✅ Technical indicators such as DLL side-loading, AI-like comments, and infrastructure rotation are consistent with observed samples.
❌ Direct attribution to a specific individual or group remains unconfirmed beyond circumstantial evidence.
Prediction
🤖 AI-assisted phishing and malware loaders will become standard among entry-level cybercriminals.
📧 Job-related lures will remain a high-success vector as economic uncertainty persists.
🛡️ Defenders will increasingly rely on behavior-based detection rather than static code analysis.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
