In an ongoing phishing campaign that spreads the PureRAT malware through fictitious job opportunities, a Vietnamese cybercrime group uses artificial intelligence to write malicious code This article explores malware fictitious job. . The campaign, which was first discovered in December 2025, is an alarming development in threat actor capabilities since it uses machine-generated attack tools and social engineering techniques to compromise organizations all over the world. Phishing emails posing as genuine job offers from reputable companies are the first step in the attacks. ZIP archives named after job-related subjects, like "New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip" or "Salary and Benefits Package.zip," are included in these messages. Recipients who open these archives set off an infection chain that ultimately installs malicious payloads such as hidden virtual network computing (HVNC) tools or PureRAT. The campaign's targeting of a wide range of businesses in several industries raises the possibility that the attackers are not engaging in targeted espionage but rather selling access to compromised networks. Symantec researchers found several signs that the malicious scripts were produced using artificial intelligence after examining the attack tools. The Python code and batch files included numbered instructions, thorough Vietnamese-language comments outlining each step, and even code remarks with emoji symbols—features frequently found in AI-generated programming. The AI authorship is especially clear because manually written malware scripts seldom have this level of documentation. Usually, legitimate executables that have been modified for DLL sideloading attacks are found in the malicious archives. To load dangerous DLLs like oledlg.dll, msimg32.dll, version.dll, and profapi.dll, use files like "adobereader.exe" or "Salary_And_Responsibility_Table.exe." Throughout the infection process, these DLLs establish persistence and maintain stealth by serving as loaders for the final payload. How Persistence Is Established by PureRAT After it is run, the malicious batch script hides its existence from users by creating a hidden directory under the Windows %LOCALAPPDATA%\Google Chrome folder. After renaming innocuous-looking files like "document.pdf" and "document.docx" into archive formats, the script uses embedded compression tools with the password "huna@dev.vn" to extract the contents before running a Python-based payload. This payload retrieves malicious code encoded in Base64 from distant command-and-control servers run by the attackers. The malware adds itself to the Windows Registry Run key under the name "ChromeUpdate" to ensure that it runs automatically each time the system boots up in order to maintain long-term access. The script opens a genuine PDF document from the hidden directory after establishing persistence, tricking victims into thinking they have just opened a regular file. By using this method, suspicion is lowered and the malware is able to steal data or gain remote access to the compromised system without being discovered. Beyond the language used in code comments, there are several indicators that point to the threat actor's Vietnamese origin. The attribution is strengthened by GitLab accounts with Vietnamese usernames and passwords with "-dev.vn" domains. Symantec Endpoint products now offer defense against this dynamic threat campaign by identifying and blocking the malicious files. Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.