A sophisticated new malware campaign is deploying the PureLog Stealer, a potent information-stealing tool, by leveraging convincing copyright violation notices. Organizations within the healthcare, government, education, and hospitality sectors are being targeted. This campaign, identified in March 2026, relies on social engineering rather than exploiting software vulnerabilities, making traditional patching insufficient for defense. The malware harvests sensitive data, including browser credentials and cryptocurrency wallet information.
The PureLog Stealer campaign utilizes phishing emails containing malicious download links to deliver language-specific lures, with German variants targeting Germany and English versions aimed at Canada and other regions. Researchers at Trend Micro observed that the attackers are focusing their efforts on organizations in Germany and Canada, with additional victims identified in the United States and Australia. The targeted industries often handle legal and compliance documents, making the copyright infringement theme particularly effective.
Inside the Multi-Stage Infection Chain with PureLog Stealer
Once a victim executes the malicious file, disguised as a copyright complaint, a command interpreter launches silently in the background. Simultaneously, a seemingly harmless decoy PDF document opens on the user’s screen, designed to distract them from the malicious activity occurring unseen.
Meanwhile, the malware initiates contact with attacker-controlled infrastructure to download an encrypted archive. This archive is presented as a PDF file named invoice.pdf. The campaign’s design is notable for its remote decryption key retrieval. Instead of embedding the password within the malware itself, the attackers fetch it from a separate server endpoint at runtime. This method significantly hinders offline analysis and grants attackers the ability to control or remotely cancel individual infections.
Subsequently, a renamed WinRAR executable, cleverly disguised as a PNG image file, uses the retrieved password to extract the actual malicious payload. This extracted content includes a renamed Python interpreter, labeled as svchost.exe, and a heavily obfuscated Python script named instructions.pdf.
Bypassing Security Measures
The Python script’s first action is to bypass Windows Defender’s Antimalware Scan Interface (AMSI) by directly patching memory. This prevents the system from scanning subsequent malicious operations. Following this, the script establishes persistence within the Windows registry under the key HKCURunSystemSettings. This ensures that the malware automatically restarts every time a user logs into the system.
Further actions by the script involve capturing a full-screen screenshot of the victim’s desktop. It also collects the machine’s hostname, the current username, and the names of any installed antivirus products. This collected information is then transmitted to the command-and-control server via an HTTPS POST request.
The final stage of the infection chain involves two identical .NET loader files. These loaders are responsible for decrypting and loading the PureLog Stealer directly into the system’s memory. This fileless execution technique is a critical design element that leaves virtually no trace on the compromised machine’s disk, making detection by traditional signature-based antivirus solutions extremely challenging.
To mitigate the risks posed by this campaign, organizations should implement regular employee training focused on identifying and reporting suspicious emails, particularly those containing download links and alleging copyright violations. Security teams are advised to monitor registry Run keys for unfamiliar entries, watch for Python or WinRAR processes originating from non-standard directories, and implement blocks on outbound connections to known malicious domains. The use of behavioral detection tools and robust network telemetry is crucial, as this campaign’s fileless nature makes it likely to evade conventional signature-based detection methods.