AI-Coded Malware: Vietnamese “Huna” Actor Targets Job Seekers with PureRAT

A new wave of cyberattacks has been detected targeting job seekers worldwide, driven by a Vietnamese threat actor who appears to be using Artificial Intelligence (AI) to automate and refine their malicious toolset. The campaign, which masquerades as legitimate job offers, delivers PureRAT and other malware payloads designed to gain a foothold in corporate networks.

A new report from the Threat Hunter Team reveals that the attacker is leveraging AI not just to write phishing emails, but to generate the very code that powers the attack.

The most striking feature of this campaign is the code itself. Analysts found distinct markers of AI generation within the malicious scripts used to infect victims.

“Multiple tools used by the attacker bear hallmarks of having been developed using AI, such as detailed comments and numbered steps in scripts, and instructions to the attacker in debug messages,” the report states.

In one batch script analyzed by the team, the code was filled with “detailed comment[s] in Vietnamese,” a level of documentation that is “rare outside of scripts authored using AI, particularly in malicious files, which usually contain no comments or minimal comments”.

Some scripts even contained helpful reminders for the attacker, such as “Remember to paste the base64-encoded HVNC shellcode here”. This “unusual coding style strongly suggests that generative AI tools were utilized during the malware’s development”.

The attack begins with a classic social engineering tactic: the promise of a job. Victims receive emails with lures like “New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip” or “Duolingo_Marketing_Skills_Assessment_oct.zip”.

Instead of attaching malicious files directly, the attacker has shifted tactics. “Recent examples seen by Symantec were hosted on Dropbox, with the phishing emails likely containing links and instructions to download the file”. The goal is to bypass email security filters by using trusted cloud services.

Once downloaded, the archives initiate a complex infection chain. The malware goes to great lengths to remain undetected. One analyzed script creates a hidden directory in %LOCALAPPDATA%\Google Chrome and renames malicious files to look like harmless documents.

“It then takes locally saved, innocuously named document.pdf and document.docx files and renames them to huna.zip and huna.exe”.

By sideloading malicious DLLs through legitimate-looking executables—such as “Salary and Benefits Package.EXE” or even a renamed version of 7zip—the attacker executes Python code that fetches the final payload from a command-and-control server.

The attribution points strongly to a Vietnam-based actor. The password huna@dev.vn appears in multiple scripts, and the name “Huna” is consistently used in filenames. Other indicators include the use of “Hwanxkiem,” a likely phonetic variation of Hoàn Kiếm, a famous district in Hanoi.

While the technical sophistication suggests a capable operator, the motivation appears purely financial. “The motivation behind the attacks is more likely to be cybercrime than espionage,” the report concludes. “The attacker may be casting their net for jobseekers… to obtain a foothold on these networks in order to sell access on to other attackers”.

Related Posts:

• Booking.com Phishing Campaign Hijacks Hotel Accounts to Deliver PureRAT via ClickFix Lure
• From Infostealer to Full RAT: Huntress Uncovers a Multi-Stage Malware Attack Deploying PureRAT
• Ghost Crypt & PureRAT: New Stealthy Malware Targets Accounting Firm via “Process Hypnosis”
• Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
• Ducktail & Quasar RAT: Vietnamese Threat Actors Target Meta Ads Professionals