A new credential theft campaign is leveraging copyright violation lures to distribute PureLog Stealer, a multi-stage infostealer designed to quietly harvest sensitive data from targeted organizations. The campaign relies entirely on social engineering, making it particularly dangerous because no software vulnerability is required for compromise. 
Victims are tricked into executing files disguised as legal documentation, triggering a sophisticated infection chain that ends with fileless in-memory malware execution.
Targeted Industries
The campaign is highly selective and focuses on sectors where legal notices appear routine.
Primary Targets
- Healthcare organizations
- Government agencies
- Education institutions
- Hospitality companies
Geographic targeting includes:
- Germany
- Canada
- United States
- Australia
Localized language lures increase credibility and success rates.
What Is PureLog Stealer?
PureLog is a lightweight infostealer designed for credential harvesting.
Data Collected
- Browser credentials
- Cryptocurrency wallet data
- Browser extension data
- System information
- User and hostname details
- Antivirus product information
Its low cost and ease of deployment make it attractive to less-skilled threat actors.
Initial Infection Vector
The attack begins with phishing emails containing malicious download links.
Social Engineering Tactics
- Copyright violation claims
- Legal-themed language
- Region-specific translations
- Executable disguised as document
Example filename:
- Documentation on Intellectual Property Rights Violations.exe
This approach bypasses patch-based defenses because users execute the malware voluntarily.
Multi-Stage Infection Chain
The attack uses a stealthy multi-stage delivery mechanism.
Step-by-Step Attack Flow
- Victim executes malicious file
- Decoy PDF opens to distract user
- Encrypted archive downloaded
- Password retrieved from remote server
- Payload extracted using disguised utility
- Python loader executes
- AMSI bypass applied
- Persistence created in registry
- System data collected
- PureLog loaded in memory
Decoy and Payload Delivery
After execution, a harmless PDF opens to reduce suspicion while the attack continues silently.
Behind-the-Scenes Activity
- Command interpreter launches
- Encrypted file downloaded
- Archive disguised as PDF
- Remote password retrieval
- Hidden extraction process
This design prevents automated sandbox analysis.
Evasion Techniques
The campaign uses multiple advanced evasion methods.
Techniques Observed
- Encrypted payloads
- Remote key retrieval
- AMSI memory patching
- Fileless execution
- Obfuscated Python scripts
- Renamed executables
- In-memory .NET loading
These tactics leave minimal forensic artifacts.
Persistence Mechanism
The malware ensures it survives system reboots.
Registry Persistence
- Path: HKCU\Run\SystemSettings
- Auto-start on login
- Hidden under legitimate naming
Data Collection and Exfiltration
Before deploying the final payload, the malware gathers system intelligence.
Information Collected
- Screenshot of desktop
- Hostname
- Username
- Installed security software
- System configuration
The data is transmitted via HTTPS to attacker-controlled servers.
Fileless PureLog Execution
The final stage loads PureLog directly into memory.
Key Characteristics
- No files written to disk
- Loaded via .NET loaders
- In-memory execution
- Evades file-based antivirus
This makes detection extremely difficult.
Why This Campaign Is Dangerous
- No vulnerability exploitation required
- Highly believable legal lures
- Fileless malware execution
- Minimal forensic footprint
- Sector-specific targeting
- Remote-controlled infection
Indicators of Suspicious Activity
Security teams should monitor:
- Unexpected Python execution
- WinRAR running from unusual paths
- Registry Run key modifications
- Suspicious outbound HTTPS traffic
- Unknown executables posing as documents
Mitigation Recommendations
For Organizations
- Train users on phishing awareness
- Block executable downloads from email
- Monitor registry persistence entries
- Implement behavioral detection tools
- Restrict PowerShell and scripting engines
- Inspect outbound traffic patterns
For Security Teams
- Enable EDR behavioral monitoring
- Watch for AMSI bypass attempts
- Audit Python interpreter usage
- Monitor in-memory .NET execution
- Detect suspicious archive extraction
Risk Impact Analysis
| Risk Area | Impact |
|---|---|
| Credentials | Account takeover |
| Financial | Crypto wallet theft |
| Security | Persistent access |
| Privacy | Data exposure |
| Operations | Lateral movement |
Key Takeaways
- Campaign uses copyright-themed phishing
- PureLog executed entirely in memory
- Targets high-trust industries
- No vulnerabilities exploited
- Behavioral detection required
Conclusion
The PureLog campaign demonstrates how social engineering combined with fileless malware can bypass traditional defenses. Organizations must prioritize user awareness, behavioral monitoring, and endpoint detection to mitigate this threat.
With attackers relying on trusted-looking legal documents, human vigilance becomes a critical security layer.
