Telegram and the Vietnamese infrastructure led to attribution: Metadata within exfiltrated ZIP archives pointed to @LoneNone, a Telegram handle previously associated with PXA Stealer. That same alias had appeared in earlier Cisco and SentinelOne reporting, and Validin also tied PureRAT infrastructure to Vietnamese actors, researchers noted.James Northey, SOC analyst and lead author of the report, emphasized the progression: “The Cisco report back in December shows a less sophisticated chain of events. What we (and SentinelOne) discovered is a clear progression in threat actor’s TTPs in a relatively short time frame (I found this in May). They were relatively unknown six months ago, and now they have some very stealthy malware being combined with a powerful commodity RAT.”The convergence of multiple factorsTelegram infrastructure, Vietnamese C2 servers, and familiar operator tradecraftgave Huntress confidence in linking the activity to PXA. The SOC team was able to remediate the intrusion before PureRAT modules could be fully deployed, researchers added.Pham noted that this isn’t an isolated case. “More mid-tier groups are blending commodity malware with loaders, layering in obfuscation and defense bypasses that were once more closely associated with sophisticated threat actors. We expect to see more “commodity-plus” campaigns where MaaS like PureRAT are wrapped in complex delivery chains,” she said. Robert Knapp, director of SOC, Huntress, sees PXA’s evolving TTPs as part of the ongoing “cat and mouse” dynamic between defenders and threat actors. Pointing out a silver lining to this growing sophistication, he said, “This reflects what Huntress has seen throughout our existence, threat actors continuing to mature their tactics as a direct result of our defensive capabilities increasing in their effectiveness.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4063095/evolved-pxa-stealer-wraps-purerat-in-multi-layer-obfuscation.html
