A new malware campaign is targeting organizations across healthcare, government, education, and hospitality sectors using cleverly disguised copyright violation notices to deliver PureLog Stealer, a powerful information-stealing malware. <\/p>\n
The campaign, first analyzed in March 2026, tricks victims into executing a malicious file that looks like a legitimate legal document. Once opened, the file sets off a quiet but complex chain of events that ends with sensitive data being stolen from the victim\u2019s machine.<\/a><\/p>\n PureLog Stealer is an infostealer known for harvesting browser credentials, cryptocurrency wallet<\/a> data, browser extension data, and general system information. <\/p>\n It is classified as a low-cost, easy-to-use tool, which means even less-skilled threat actors can deploy it. <\/p>\n The campaign uses phishing emails with malicious download links \u2014 rather than direct attachments \u2014 to deliver language-specific lures, with German-language variants targeting Germany and English-language versions targeting Canada and other regions.<\/a><\/p>\n Trend Micro researchers identified that the campaign<\/a> does not rely on software vulnerabilities or exploits. Instead, it depends entirely on social engineering, convincing users to manually run a file disguised as a copyright complaint. <\/p>\n The malicious executable carries names like\u00a0\u201cDocumentation on Intellectual Property Rights Violations.exe,\u201d<\/em>\u00a0making it appear genuine to an unsuspecting recipient. <\/p>\n This approach makes the campaign particularly dangerous because standard patch management alone cannot stop it.<\/a><\/p>\n The campaign has been most active against organizations in Germany and Canada, with additional victims observed in the United States and Australia. <\/p>\n Industries targeted include healthcare, government, hospitality, and education \u2014 sectors that often deal with legal notices and compliance documents, making the copyright lure format highly believable. <\/p>\n The selective targeting and localized delivery suggest a structured operation rather than a random mass spam campaign<\/a>.<\/a><\/p>\n What makes this threat stand out is the level of technical sophistication woven throughout its delivery chain. <\/p>\n The malware uses encrypted payloads, remote decryption key retrieval, and fully in-memory execution \u2014 leaving very little forensic trace on compromised machines. <\/p>\n Endpoint detection tools that rely on file creation monitoring would find almost nothing to flag.<\/a><\/p>\n Once the victim executes the malicious lure, a command interpreter launches silently in the background. <\/p>\n To keep the user occupied, a harmless-looking decoy PDF immediately opens on screen.<\/p>\n Meanwhile, the malware contacts attacker-controlled infrastructure to download an encrypted archive disguised as a PDF file named\u00a0 Rather than embedding the decryption password inside the malware itself, the attackers retrieve it remotely from a separate server endpoint at runtime. This design makes offline analysis nearly impossible and allows the attacker to control or cancel each infection remotely. <\/p>\n A renamed WinRAR executable \u2014 disguised as a PNG image file \u2014 then uses that retrieved password to extract the real payload.\u00a0<\/p>\n The extracted content includes a renamed Python interpreter called\u00a0 The script first bypasses Windows Defender\u2019s Antimalware Scan Interface by patching memory directly, preventing the system from scanning what follows.<\/p>\n It then establishes registry persistence under\u00a0 The script also takes a full-screen screenshot, collects the machine hostname, username, and installed antivirus product<\/a> names, then sends all of it to the command-and-control server via an HTTPS POST request.<\/p>\n Finally, two identical .NET loader files decrypt and load PureLog Stealer directly into memory, leaving no files on disk for antivirus tools to find.<\/p>\n Organizations should train employees to treat unexpected emails about copyright violations with caution, especially those containing download links. <\/p>\n Security teams should monitor registry Run keys for unusual entries, watch for Python or WinRAR processes executing from non-standard directory paths, and block outbound connections to known malicious domains<\/a>. <\/p>\n Behavioral detection tools and network telemetry are essential, as traditional signature-based antivirus may miss this campaign entirely due to its fileless execution design.<\/a><\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Copyright-Themed Lures Deliver Multi-Stage PureLog Stealer in New Credential Theft Campaign<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInside the Multi-Stage Infection Chain<\/strong><\/h2>\n
![\"Infection](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEglPaRheSQBxA_lzJ_BFIkXLud4m2ik7PPlsBE3CPCW2EaPsnSJ1d_Zw6rHhxLudNVwLuhNTk_cJ7WO5kWiUQb1ZTQlCf6fh902se9A8ntaWTsn8JKsjvqb5o7n-7DyxCIOh0O0G5-Bon-1bpDeJ8MNTimavel4MpwD9fknvMRQi9wvI3M8n_WKheJbX48\/s16000\/Infection%2520chain%2520of%2520the%2520attack%2520%28Source%2520-%2520Trend%2520Micro%29.webp?ssl=1\")
invoice.pdf<\/code>.<\/a><\/p>\n![\"Malicious](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh70QSqKkvOsburGwBVECmfCwxm50J2BlCYnyiON1ZMLOzhIb2fIZoji86lfm5N3XhnOQCN9JRMEHmmNCOFhH1wHkW4QzRxa3Jfgd4FcN0PAKGcS2VdO77XGmBnJxkErbffBEE2YG8LlQKfFsjjZfJVTBDbOcS8aBat4-1OkLcnq6Uc_kTmUT2qzd6d_gk\/s16000\/Malicious%2520lure%2520download%2520from%2520unknown%2520source%2520%28Source%2520-%2520Trend%2520Micro%29.webp?ssl=1\")
svchost.exe<\/code>\u00a0and a heavily obfuscated Python script named\u00a0instructions.pdf<\/code>. <\/p>\n![\"Python](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgOv-ZZjd2OlRC8oSgRZxz8Qq_YNoPeTQme3quhVDqQbweiQYJhDbP2tnmEEw5enQD4VqNapZ_Xhb1uYvdR40jKKWcOagUfwEnQdROdvYOJ6sMxbVuXjYy1fgWY__UGME_7cMnVguMrnKGK6I5m1jpPUKfN4uzlAjFDcpYtBsX47C6LUzkEA52u3VvHU6U\/s16000\/Python%2520code%2520patching%2520AMSI%2520in%2520memory%2520%28Source%2520-%2520Trend%2520Micro%29.webp?ssl=1\")
HKCURunSystemSettings<\/code>, ensuring the malware restarts automatically on every user login.\u00a0<\/p>\n![\"Infection](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhTMskKiGnVDLktqbpyxyXMmHF_It1BrMAtZ8_I7qCxXsU6zJIuz5inaOFAIrNAF9isZSdbRJNl_km64CDxtfedYmJ4s7mWbAqu-zEUZi4Z467Xb1a2BwA9d5-B3n0o4FdCxRK72cWBvRAMXRe2FNSgUrxKaLrQF59YLgUgGDuJhTawuTK-69Gq_GatrL0\/s16000\/Infection%2520chain%2520for%2520PureLog%2520Stealer%2520%28Source%2520-%2520Trend%2520Micro%29.webp?ssl=1\")