PureLogs: Delivery via PawsRunner Steganography
Essential information
- Published
- 21/05/2026 15:39
- Modified
- 21/05/2026 17:12
- Tags
- .net 2026-05-21 credential-theft cryptocurrency wallets infostealer pawsrunner phishing purelogs steganography
- Related entities
- 8 observables, 2 malware, 1 others
Description
Attackers are concealing .NET infostealers within seemingly innocuous images to evade detection. A phishing campaign uses TXZ archive attachments with invoice-themed lures to initiate infection. The embedded JavaScript leverages environment variables to hide malicious commands, launching PowerShell to decode and decrypt payloads. PawsRunner, a steganography loader, extracts encrypted data from PNG images containing cat photos. This loader evolved from simple PE downloads to sophisticated steganographic extraction with fallback mechanisms. The final payload, PureLogs version 5.0.0, is a comprehensive infostealer from the Pure family that harvests credentials from browsers, cryptocurrency wallets, password managers, communication apps, and other applications. It employs extensive async/await patterns and communicates with command and control infrastructure via HTTPS using multiple endpoints to exfiltrate encrypted and compressed stolen data.