Copyright Lures Deliver PureLog Stealer in Multi-Stage Fileless Attack on Healthcare and Government
A targeted campaign uses copyright violation lures to deliver PureLog Stealer entirely in memory, hitting healthcare and government organizations in Germany and Canada.
Trend Micro researchers have uncovered a sophisticated multi-stage campaign that delivers PureLog Stealer through a fileless, encrypted infection chain. The attack uses copyright-themed lures tailored to the victim's language, tricking users into executing a malicious executable disguised as a legal notice. Once run, the malware deploys a series of evasive techniques to harvest credentials, browser data, and cryptocurrency wallets from compromised systems.
The infection chain begins with a phishing email containing a download link for a file named "Dokumentation über Verstöße gegen Rechte des geistigen Eigentums.exe" (Documentation on Intellectual Property Rights Violations.exe) for German targets. Upon execution, the malware opens a benign decoy PDF to distract the user while malicious actions run in the background. It then downloads an encrypted payload from attacker-controlled infrastructure, using a custom User-Agent string "curl/meow_meow" to evade simple detection.
A key evasion technique is the dynamic retrieval of the decryption password from a separate remote endpoint, rather than hardcoding it in the malware. The encrypted payload is disguised as a PDF file, and extraction is performed using a renamed WinRAR utility masquerading as a PNG image. This multi-layered approach hinders static analysis and makes the attack harder to detect by traditional security tools.
The extracted payload launches a Python-based loader that decrypts and executes the final .NET PureLog Stealer entirely in memory. The loader incorporates anti-virtual machine checks to evade automated sandbox analysis, along with AMSI bypass, registry persistence, and screenshot capture capabilities. PureLog Stealer then collects Chrome browser credentials, cryptocurrency wallet data, and system information, exfiltrating it to command-and-control servers.
Telemetry data confirms that the campaign has primarily targeted healthcare and government organizations in Germany and Canada, with additional victims in the United States and Australia across hospitality and education sectors. The localized delivery and industry-focused victim profile indicate selective targeting rather than indiscriminate mass distribution, suggesting a structured and well-resourced operation.
Trend Micro recommends organizations implement robust email security measures, user awareness training to recognize social engineering lures, and endpoint detection solutions capable of identifying fileless malware execution. The use of encrypted, dynamically retrieved payloads underscores the need for behavioral analysis and memory scanning to catch such advanced threats.