Vietnamese threat actor behind PXA Stealer has evolved their capabilities, deploying a sophisticated 10-stage attack chain culminating in PureRAT—a commercial .NET remote access trojan. The campaign demonstrates tactical maturity with DLL sideloading, multi-layer obfuscation, in-memory execution, and progression from credential theft to full system surveillance including hidden desktop access, webcam/microphone spying, and real-time keylogging.
After nine stages of obfuscation, the final payload reveals itself as PureRAT, a commercial .NET RAT using TLS-pinned C2, Protocol Buffers, and modular plugins for remote access and control.
Advanced .NET loader dynamically loads assemblies from memory, decrypts payloads on-the-fly, and invokes methods without touching disk, requiring a pivot from static to dynamic analysis techniques.
The campaign shifts from Python to compiled .NET executables using process hollowing for in-memory PE injection, AMSI patching, and ETW unhooking to evade detection and establish persistence.
Dissect PXA Stealer’s weaponized info-stealing payload that extracts Chrome credentials, cookies, and 2FA tokens using WMI for AV enumeration before exfiltrating everything via Telegram’s Bot API.
Uncover how a copyright phishing email delivers multi-stage Python malware through DLL sideloading, hidden archives, and Base64 obfuscation in this deep-dive intro to Python malware reverse engineering.
A polished YouTube video promoting a fake TradingView AI feature nearly fooled security analysts with professional branding and clever social engineering, delivering NetSupport RAT through PowerShell to target crypto wallets.
Comprehensive reference for static and dynamic malware analysis using Ghidra, x64dbg, REMnux, including PDF analysis, unpacking techniques, and reverse engineering workflows. - static-analysis - dynamic-analysis
