PXA Stealer has been around as a Python-based infostealer, tied to the Telegram alias @LoneNone, and previously used for harvesting credentials and browser data.
Commodity malware wrapped in a complex chain
PureRAT itself is not new–it’s a commodity RAT marketed as a remote administration toolkit with features like hidden desktop access (HVNC/HRDP), microphone and webcam spying, registry management, and even cryptowallet monitoring. But what distinguishes the PXA campaign is the elaborate delivery sequence that surrounded it.
The infection began with a phishing lure disguised as a copyright infringement notice, ultimately pulling Python loaders hidden inside renamed executables, Huntress researchers said in a disclosure shared with CSO ahead of its publication on Thursday. Each stage unpacked or decrypted the next, layering Base84, AES, RC4, and XOR encoding on top of one another. Later phases shifted to .NET assemblies that process hallowing and reflective loading to stay under the radar. By the time PureRAT was finally deployed, defenders had to untangle nearly a dozen payloads.