A Vietnamese threat actor is using AI to code malware that targets job seekers worldwide, delivering PureRAT and other payloads to foothold corporate networks under the guise of legitimate job offers. According to Threat Hunter Team, the attacker not only uses AI to write phishing emails but also to generate the actual attack code, with scripts bearing Vietnamese comments and numbered steps.
The campaign relies on social engineering, sending lures such as remote marketing opportunity and skill assessment zip files, with links hosted on Dropbox to bypass email security. Once opened, the infection chain hides in %LOCALAPPDATA%\\Google Chrome, renaming files to huna[.]zip and huna[.]exe, and sideloads malicious DLLs through legitimate-looking executables to fetch the final payload from a command-and-control server.
The attribution points to a Vietnam-based actor, with the password huna@dev[.]vn appearing across scripts and the name “Huna” used in filenames; the report concludes the attacker appears motivated by cybercrime rather than espionage, seeking to recruit jobseekers to gain network access for resale.