PureLogs Infostealer Campaign Uses Cat Photos to Hide Payloads, Steals Credentials Worldwide
Fortinet researchers have uncovered a global phishing campaign delivering the PureLogs infostealer via steganography, hiding encrypted payloads inside cat images to evade detection.
A sophisticated phishing campaign is distributing the PureLogs information stealer to Windows machines worldwide, using steganography to hide malicious payloads inside cat photos, according to researchers at Fortinet. The attack leverages invoice-themed emails to pressure victims into opening TXZ archives, which contain JavaScript that initiates a multi-stage infection chain designed to bypass modern security defenses.
The attack begins with a phishing email carrying a TXZ archive and an invoice-themed lure. Once extracted, the JavaScript stores malicious commands in process environment variables, using garbled text and multilingual comments as obfuscation. It then launches a hidden PowerShell session to decode, decrypt, and decompress a .NET assembly loader dubbed PawsRunner. PawsRunner decrypts a download URL using RC4 and attempts to fetch a PNG image from multiple network APIs. In a previous campaign flagged by Swiss Post Cybersecurity, the PNG image was retrieved from archive.org.
PawsRunner extracts an encrypted payload hidden within the PNG file using steganography markers, bypassing Event Tracing for Windows and Windows 11 security features. The final payload is the PureLogs infostealer, which profiles the victim's system environment and harvests credentials, cookies, and session tokens from an extensive list of web browsers, over 100 crypto wallet extensions and desktop wallets, communication apps like Discord, Telegram, and Signal, password managers including Bitwarden, LastPass, and 1Password, authenticator browser extensions, and other software such as Steam, OpenVPN, FileZilla, and Outlook.
The stolen data is AES-encrypted and exfiltrated via HTTPS to command-and-control servers. "This version of PureLogs uses extensive async/await patterns to improve task efficiency and complicate analysis. Additionally, it uses HTTPS for its Command and Control (C2) communications," the researchers noted. The harvested information can be used for financial theft or sold on criminal markets, potentially enabling follow-on attacks against victims' employers, banks, or contacts.
The shift toward hiding payloads inside image files represents a deliberate effort to blend malicious activity into normal-looking network traffic. A PNG file fetched over HTTPS from what might appear to be a legitimate host raises far fewer alarms than a direct download of an executable. According to Fortinet, this technique is increasingly used by attackers.
Users are advised to treat unexpected emails and attachments as suspicious regardless of how urgent or routine they appear, and to be wary of opening files in unusual formats. Organizations can train employees to detect invoice-themed lures, block uncommon archive formats at the email gateway, monitor for unusual PowerShell behavior, restrict JavaScript execution from email attachments, and deploy endpoint detection that covers in-memory execution.