Ddos 
Infection chain for PureLog Stealer | Image: TrendMicro
A highly organized malware campaign is currently stalking key industries by weaponizing something every professional fears: a legal notice. Researchers at Trend Micro have uncovered a sophisticated delivery chain for PureLog Stealer, an information-thief that uses multi-stage evasion tactics to harvest credentials, cryptocurrency wallets, and sensitive system data.
What makes this campaign stand out is its selective nature. “The localized delivery and industry-focused victim profile points to selective targeting rather than indiscriminate mass distribution,” with primary hits observed in the healthcare, government, and education sectors across Germany, Canada, and the United States.
The attack begins with a classic social engineering trick. Victims receive phishing emails that lure them into clicking a link—avoiding direct attachments to keep the malware’s hosting centralized and under attacker control.
These lures are cleverly localized. For instance, German targets see a file named Dokumentation über Verstöße gegen Rechte des geistigen Eigentums.exe (Documentation on Intellectual Property Rights Violations). Once the victim executes the file, a decoy PDF opens to distract them while the infection silently takes root in the background.
The delivery chain is a masterclass in obfuscation. The malware downloads an encrypted payload disguised as a PDF (e.g., invoice.pdf), but it doesn’t carry the decryption key. Instead, it “retrieves the decryption password remotely from attacker-controlled infrastructure”.
Even more unusual is the extraction method. The campaign avoids built-in decryption code, instead abusing a “renamed WinRAR utility disguised as a PNG image to extract the payload”. This infrastructure-controlled model ensures that analysts cannot unlock the payload without active network access to the attacker’s server.
Once extracted, the payload launches a Python-based loader—disguised as a system binary—that performs a critical “housekeeping” task: it disables Windows Defender’s Antimalware Scan Interface (AMSI).”Stage 1 patches the entry point of AmsiScanBuffer… so the function always returns ‘not malicious,'” the report notes.
With the guards down, the script reflectively loads the final PureLog Stealer payload entirely in memory. This “fileless” execution means “disk-based antivirus and endpoint detection tools scanning file creation events will see nothing”.
The Python loader doesn’t just stop at one payload; it launches two structurally identical .NET loaders concurrently as a redundancy mechanism. “If one loader is blocked or killed by an endpoint control, the other independently delivers and executes PureLog Stealer”.
To ensure it survives a reboot, the malware establishes registry persistence, mimicking a legitimate Windows component named “SystemSettings” to avoid raising suspicion.
Before exfiltrating data, PureLog performs a “victim fingerprinting” pass to see if the target is high-value. It silently queries the system for the hostname, username, and all installed antivirus products.
It captures a full-resolution screenshot of the victim’s desktop using Windows GDI APIs and manually constructs a PNG file in memory—again, without ever writing a file to disk. All this data is then bundled into a JSON object and whisked away to the C&C server over HTTPS.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
