EXECUTIVE SUMMARY:
An operation has been identified in which a remote access trojan (RAT) known as PureRAT is being distributed through highly convincing phishing campaigns that leverage artificial intelligence to generate malicious scripts and social engineering lures. These campaigns typically impersonate legitimate job opportunity communications and are designed to entice recipients into interacting with malicious content that appears credible, exploiting trust and familiarity to facilitate initial access and subsequent compromise. The use of AI has enabled the attacker to craft more polished and deceptive code and messaging, lowering the barrier to entry for less skilled threat actors and increasing the overall effectiveness of the phishing efforts.
The attack chain initiates with phishing emails impersonating legitimate job opportunities, often including links to downloadable archives hosted on popular cloud storage services. Once a recipient retrieves and opens these files, an embedded executable sideloads malicious code to initiate an infection chain that ultimately loads the PureRAT remote access trojan or auxiliary payloads such as hidden virtual network computing tools. Analysis of the scripts used in this campaign reveals unmistakable markers of AI assistance detailed comments, structured steps, and human-like scripting patterns suggest automated code generation. The malware deployment relies on DLL sideloading and script execution to establish persistence on compromised hosts, providing extensive capabilities for remote control, credential theft, and lateral movement within networks.
This emerging threat reflects a broader evolution in phishing tactics, where automation and AI are not only enhancing the believability of lures but also contributing directly to the development of malware toolsets. Organizations should recognize the dual nature of this risk highly polished social engineering combined with AI-assisted malware delivery increases attack efficiency and reduces the barrier to entry for less experienced adversaries. Robust defensive measures, including advanced email filtering, user awareness training, and endpoint monitoring, are essential to mitigate the impact of such campaigns.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.003 | Command and Scripting Interpreter | Windows Command Shell | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.001 | Obfuscated Files or Information | Binary Padding |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0009 | Virtual Machine Detection |
| Collection | E1056 | Input Capture |
| E1113 | Screen Capture | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0004 | Disable or Evade Security Tools |
| Discovery | B0013 | Analysis Tool Discovery |
| E1083 | File and Directory Discovery | |
| Execution | B0011 | Remote Commands |
| Exfiltration | E1020 | Automated Exfiltration |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details: