New PawsRunner Steganography Loader Evades EDR to Deploy PureLogs Infostealer

The use of steganography—the ancient art of hiding secret messages inside seemingly ordinary files—is experiencing a massive renaissance in the modern threat landscape.

A new technical advisory published by FortiGuard Labs warns organizations that cybercriminals are rapidly shifting away from obvious, highly monitored encrypted network transfers. Instead, they are embracing a stealthier operational blueprint. As the FortiGuard Labs team details in the opening of their report:

“The use of steganography in the threat landscape continues to accelerate. Threat actors are increasingly shifting from direct encrypted transfers to a ‘legitimate-file-plus-hidden-data’ model, effectively masking their next-stage payloads within everyday media.”

The latest campaign uncovered by researchers perfectly illustrates this trend, tracking a sophisticated multi-stage infection chain that weaponizes innocent cat pictures to quietly drop an evolved variant of the PureLogs information stealer.

The attack vector relies on classic invoice-themed phishing lures engineered to manufacture a false sense of urgency, forcing recipients to bypass standard security protocols.

Victims receive an email containing a heavily compressed archive attachment formatted as a .TXZ file (an XZ-compressed TAR archive). If an employee decompresses and opens the archive, they expose their system to a malicious standalone JavaScript (.JS) or VBScript (.VBS) payload.

Rather than executing noisy commands directly through the command-line console—which would instantly trip modern behavior-based endpoint detection and response (EDR) agents—the script employs a clever defensive workaround. It temporarily writes its decoded malicious commands straight into the host system’s environment variables. This allows the malware to stage subsequent execution phases out of volatile memory without writing obvious, signature-heavy text scripts to the hard drive.

Once the environment variable layer executes, it triggers the downloading and instantiation of PawsRunner, a custom, highly specialized steganography loader written in the .NET framework.

PawsRunner is not designed to steal data itself; its singular purpose is to act as a stealthy, unvetted delivery vehicle. The loader initiates an outbound HTTPS connection to pull down a legitimate-looking image asset from the web—specifically, a benign digital picture of a cat.

While the file renders flawlessly as an ordinary picture if clicked by an administrator, the pixel data contains a dark secret. PawsRunner automatically parses the raw binary structures of the image, locates the hidden cryptographic offsets, and extracts the payload. FortiGuard Labs summarizes this multi-layered process in their technical conclusion:

“We uncovered an attack campaign involving a new steganography loader, PawsRunner, to deliver the well-known .NET infostealer, PureLogs. The infection chain begins with a phishing email that delivers a TXZ archive. The embedded JavaScript uses a sophisticated technique to store decoded malicious commands in environment variables, which then triggers a decrypted steganographic .NET loader. This loader retrieves the final payload by extracting encrypted data hidden within a cat image.”

The ultimate cargo extracted from the cat image is an advanced build of PureLogs, a prominent .NET-based information stealer engineered for maximum data harvesting speed.

Once reflectively loaded into system memory, PureLogs systematically sweeps the local host. It targets web browsers to lift saved credentials, session cookies, and autofill forms, while simultaneously searching local directories for Discord authentication tokens, configuration files, and cryptocurrency wallets.

This latest iteration of PureLogs utilizes intensive asynchronous (async/await) programming patterns to multitask its data gathering routines, allowing it to complete its entire loop and exfiltrate the compressed data panel back to its primary C2 node (5.101.84.202:8996) via structured POST requests in a matter of seconds.