Rat

Vietnamese threat actor behind PXA Stealer has evolved their capabilities, deploying a sophisticated 10-stage attack chain culminating in PureRAT—a commercial .NET remote access trojan. The campaign demonstrates tactical maturity with DLL sideloading, multi-layer obfuscation, in-memory execution, and progression from credential theft to full system surveillance including hidden desktop access, webcam/microphone spying, and real-time keylogging.

After nine stages of obfuscation, the final payload reveals itself as PureRAT, a commercial .NET RAT using TLS-pinned C2, Protocol Buffers, and modular plugins for remote access and control.