Threat actors are increasingly using copyright-themed phishing emails to deliver sophisticated credential-stealing malware. The latest campaign distributing PureLog Stealer demonstrates how attackers combine fileless execution, encrypted payloads, and multi-stage loaders to bypass traditional security controls. 
This campaign specifically targets critical infrastructure sectors, including healthcare, government, hospitality, and education, across multiple countries. By leveraging malvertising, dynamic key retrieval, and in-memory execution, attackers can steal browser credentials, cryptocurrency wallets, and system intelligence while remaining largely invisible to endpoint defenses.
In this article, you’ll learn:
- What PureLog Stealer is
- How the multi-stage attack chain works
- Evasion and persistence techniques
- Indicators of compromise (IOCs)
- Detection and mitigation strategies
- Security best practices
What Is PureLog Stealer?
PureLog Stealer is an advanced information-stealing malware designed to harvest sensitive data from compromised systems. It uses fileless techniques and encrypted payload delivery to evade detection.
Key Capabilities
- Browser credential theft
- Cryptocurrency wallet extraction
- System fingerprinting
- Screenshot capture
- Persistence via registry keys
- In-memory execution
- AMSI bypass
- HTTPS data exfiltration
Key Takeaway:
PureLog Stealer prioritizes stealth, persistence, and credential harvesting.
Initial Access: Copyright-Themed Phishing Emails
The infection chain begins with localized copyright violation notifications designed to create urgency and fear.
Common Delivery Methods
- Phishing emails with legal language
- Malicious executable downloads
- Google Ads malvertising campaigns
- Fake legal documentation attachments
Social Engineering Technique
- Victim receives copyright violation notice
- Opens attachment or executes file
- Decoy PDF displayed to reduce suspicion
- Malware silently begins background activity
Security Insight:
Displaying a decoy document increases user trust during execution.
Multi-Stage Infection Chain Explained
The attack uses a multi-layered loader architecture to evade analysis.
Attack Workflow
- Victim executes malicious file
- Decoy PDF opens
- Encrypted archive downloaded (.pdf extension)
- Password fetched dynamically from C2
- Renamed WinRAR extracts archive
- Python executable disguised as svchost.exe runs
- Obfuscated Python script executes
- AMSI bypass applied
- Persistence established
- PureLog Stealer loaded in memory
Threat Insight:
Dynamic password retrieval prevents automated sandbox analysis.
Fileless Execution and Evasion Techniques
PureLog Stealer relies heavily on in-memory execution to bypass endpoint detection.
Evasion Techniques Used
- AMSI patching in memory
- XOR encryption
- TripleDES encryption
- GZip compressed payload
- Reflective .NET loading
- Fileless execution
- Obfuscated Python loader
- Renamed legitimate utilities
Risk Impact:
Traditional antivirus relying on file-based detection may fail.
AMSI Bypass Mechanism
The Python loader patches the Windows Antimalware Scan Interface (AMSI) to disable scanning.
AMSI Bypass Effects
- Prevents script scanning
- Disables antivirus inspection
- Allows obfuscated payload execution
- Improves persistence success rate
Security Reality:
AMSI bypass is increasingly common in modern malware campaigns.
Persistence Mechanism
The malware ensures persistence using Windows Registry Run Keys.
Persistence Behavior
- Modifies registry entries
- Mimics legitimate system settings
- Executes on reboot
- Maintains stealth presence
Data Collection and Fingerprinting
Before deploying the final payload, attackers gather system intelligence.
Data Collected
- OS version
- Installed security software
- Desktop screenshot
- System configuration
- Network details
This intelligence helps attackers optimize payload delivery.
In-Memory Execution of PureLog Stealer
The final stage uses dual .NET loaders for redundancy.
Execution Process
- Python script loads XOR-encrypted loaders
- Loaders decrypt TripleDES assembly
- GZip payload decompressed
- PureLog Stealer loaded reflectively
- Execution occurs in managed heap
Key Advantage:
No malicious files are written to disk.
Targeted Industries
Telemetry indicates highly targeted attacks rather than mass distribution.
Targeted Sectors
- Healthcare
- Government
- Hospitality
- Education
Targeted Countries
- United States
- Germany
- Canada
- Australia
Threat Intelligence Insight:
Critical infrastructure is a primary focus.
Indicators of Compromise (IOCs)
| Indicator Type | Value | Context |
|---|---|---|
| IP Address | 166[.]0[.]184[.]127 | C2 Server |
| IP Address | 64[.]40[.]154[.]96 | Outbound infrastructure |
| Domain | quickdocshare[.]com | Payload hosting |
| Domain | logs[.]bestshopingday[.]com | C2 infrastructure |
| File | instructions.pdf | Python loader |
| File | svchost.exe | Renamed Python executable |
| File | Dgrfauysx.exe | .NET loader |
| File | Fsywsuac.exe | Secondary loader |
Common Warning Signs
Red Flags
- Unexpected copyright violation emails
- Executables disguised as documents
- Files using incorrect extensions
- Suspicious registry modifications
- Unusual outbound HTTPS traffic
- AMSI memory tampering
Detection Strategies
Security Monitoring Recommendations
- Monitor AMSI bypass attempts
- Detect suspicious Python execution
- Track registry persistence changes
- Identify reflective .NET loading
- Analyze outbound encrypted traffic
- Behavioral anomaly detection
Mitigation Best Practices
For Security Teams
- Enable EDR behavioral detection
- Block execution from temp directories
- Monitor PowerShell and Python activity
- Implement application allowlisting
- Inspect outbound HTTPS traffic
- Deploy sandbox detonation
For Organizations
- Conduct phishing awareness training
- Disable unnecessary scripting engines
- Patch Windows systems regularly
- Restrict user privileges
- Implement Zero Trust access
Framework Mapping
MITRE ATT&CK Techniques
- T1566 – Phishing
- T1059 – Command and scripting interpreter
- T1027 – Obfuscated files
- T1620 – Reflective loading
- T1112 – Registry modification
- T1055 – Process injection
NIST Cybersecurity Framework
- Identify: Email threat risk
- Protect: User awareness
- Detect: EDR monitoring
- Respond: Malware containment
- Recover: Credential rotation
Risk Impact Analysis
| Risk Area | Impact |
|---|---|
| Credentials | Browser password theft |
| Crypto | Wallet compromise |
| Enterprise | Data exfiltration |
| Compliance | Regulatory exposure |
| Operations | System persistence |
| Security | Defense evasion |
FAQs
What is PureLog Stealer?
PureLog Stealer is an information-stealing malware that harvests credentials and executes filelessly in memory.
How does the attack begin?
It starts with copyright-themed phishing emails or malvertising downloads.
Why is fileless execution dangerous?
It avoids writing files to disk, bypassing traditional antivirus detection.
What data does PureLog steal?
Browser credentials, crypto wallets, system information, and screenshots.
Who is targeted?
Healthcare, government, education, and hospitality sectors.
How can organizations defend against it?
Use EDR, behavioral detection, phishing awareness, and application control.
Conclusion
The PureLog Stealer campaign highlights how modern threat actors combine social engineering, fileless malware, and encrypted payloads to bypass security defenses. By using copyright-themed phishing emails and in-memory execution, attackers can silently harvest credentials from high-value targets.
Organizations must:
- Strengthen email security
- Deploy behavioral detection tools
- Monitor scripting activity
- Educate users on phishing risks
Proactive detection and layered security controls are essential to stop advanced credential-stealing campaigns. 
