PXA Stealer has been round as a Python-based infostealer, tied to the Telegram alias @LoneNone, and beforehand used for harvesting credentials and browser information.
Commodity malware wrapped in a fancy chain
PureRAT itself is just not new–it’s a commodity RAT marketed as a distant administration toolkit with options like hidden desktop entry (HVNC/HRDP), microphone and webcam spying, registry administration, and even cryptowallet monitoring. However what distinguishes the PXA marketing campaign is the frilly supply sequence that surrounded it.
The an infection started with a phishing lure disguised as a copyright infringement discover, in the end pulling Python loaders hidden inside renamed executables, Huntress researchers stated in a disclosure shared with CSO forward of its publication on Thursday. Every stage unpacked or decrypted the subsequent, layering Base84, AES, RC4, and XOR encoding on high of each other. Later phases shifted to .NET assemblies that course of hallowing and reflective loading to remain below the radar. By the point PureRAT was lastly deployed, defenders needed to untangle practically a dozen payloads.
