{"id":4283,"date":"2026-01-28T12:38:07","date_gmt":"2026-01-28T12:38:07","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/01\/28\/emojis-in-purerats-code-point-to-ai-generated-malware-campaign\/"},"modified":"2026-01-28T12:38:07","modified_gmt":"2026-01-28T12:38:07","slug":"emojis-in-purerats-code-point-to-ai-generated-malware-campaign","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/01\/28\/emojis-in-purerats-code-point-to-ai-generated-malware-campaign\/","title":{"rendered":"Emojis in PureRAT\u2019s Code Point to AI-Generated Malware Campaign"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/localimages\/cb531640-ce34-4e47-96c8-4a9f811ec92a.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Danny  Palmer \" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>An ongoing trojan malware campaign designed to take control of systems and steal sensitive information is being generated with the aid of AI, researchers have said.<\/p>\n<p>PureRAT is a full-featured remote access trojan (RAT) and infostealer which first emerged last year. It has recently been spotted being distributed via malicious links in phishing emails which pose as job opportunities.<\/p>\n<p>Analysis by Symantec and Carbon Black Threat Hunter Team has concluded that the cybercriminals behind PureRAT are using AI tools to write scripts and code. One of the reasons for this conclusion is that sections of the code powering PureRAT contain emojis.<\/p>\n<p>\u201cMany AIs have a tendency to insert emojis in code comments because they\u2019ve been trained using data from social platforms such as Reddit,\u201d researchers said.<\/p>\n<p>In addition, sections of the code appear to contain explanatory comments, debug messages and reminders. For example, one section of the code contains the line \u201cRemember to paste the base64-encoded HVNC shellcode here\u201d.<\/p>\n<p>It\u2019s likely that these are instructions by an AI tool which those behind PureRAT have failed to remove from the scripts.<\/p>\n<p>\u201cAside from Emojis, detailed comments on nearly every line of the script are usually a giveaway that it\u00a0was authored by AI. While we do see attackers occasionally\u00a0leaving notes for themselves, we&#8217;d hardly ever see something like a full sentence,\u201d Dick O\u2019Brien,\u00a0principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team told <em>Infosecurity<\/em>.<\/p>\n<p>Nonetheless, despite the leftover AI-generated instructions, PureRAT is a potent, widely distributed malware threat. The malware provides cybercriminals with the ability to stealthy maintain a remote presence on an infected machine, which the attackers can use to either steal data for themselves or sell access to compromised machines to others.<\/p>\n<p>\u201cThe attacker may be casting their net for jobseekers in multiple countries in the hope that they open the emails on their work computer,\u201d said the research paper.<\/p>\n<p>\u201cThe attacker\u2019s usage of AI provides further evidence that the technology is being used by lower-skilled attackers to assist with developing tools and automating their attacks,\u201d it added.<\/p>\n<p>According to Symantec and Carbon Black, there is evidence that the attacker behind PureRAT is based in Vietnam. This conclusion has been reached because of the use of the Vietnamese language throughout the scripts, both in the code and in the comments left by AI tools. There are also references to Hanoi, the Vietnamese capital.<\/p>\n<p>PureRAT isn\u2019t the first malicious cyber operation to emerge from Vietnam. In recent years, several cybercriminal campaigns have been attributed to cyber gangs working out of the country \u2013 including one which distributed malware via adverts for fake AI video generation tools.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>An ongoing trojan malware campaign designed to take control of systems and steal sensitive information is being generated with the aid of AI, researchers have said. PureRAT is a full-featured remote access trojan (RAT) and infostealer which first emerged last year. It has recently been spotted being distributed via malicious links in phishing emails which<\/p>\n","protected":false},"author":2,"featured_media":4284,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4283","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4283-578a613d-ac22-4b15-9334-cf01d8a5ad09-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4283","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4283"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4283\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4284"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4283"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4283"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4283"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}