216.73.217.22

Copyright Lures Mask a Multi-Stage PureLog Stealer Attack on Key Industries

· Published 20/03/2026 09:13 · Modified 20/03/2026 08:46

Export JSON

Essential information

Published
20/03/2026 09:13
Modified
20/03/2026 08:46
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
copyright lure evasion techniques fileless execution information theft multi-stage attack purelog stealer targeted campaign
Tags
2026-03-20 copyright lure evasion techniques fileless execution information theft multi-stage attack purelog stealer targeted campaign
Related entities
18 indicators, 18 observables, 18 techniques (mitre), 1 malware, 15 others

Description

A sophisticated malware campaign delivering has been identified, targeting healthcare, government, hospitality, and education sectors in multiple countries. The attack uses localized copyright violation lures to trick victims into executing a multi-stage infection chain. The malware employs encrypted payloads, remote key retrieval, and techniques to evade detection. It utilizes a Python-based loader and dual .NET loaders to run entirely in memory. The campaign incorporates AMSI bypass, registry persistence, screenshot capture, and victim fingerprinting for stealth and intelligence gathering. Evidence confirms communication with PureLog-associated infrastructure.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Indicators (18)

Observables (18)

  • quickdocshare.com
  • cdn.eideasrl.it
  • logs.bestsaleshoppingday.com
  • dq.bestshoppingday.com
  • mh.bestshopingday.com
  • logs.bestshopingday.com
  • transfer.af-k.de
  • 64.40.154.96
  • 166.0.184.127
  • http://quickdocshare.com/DQ
  • https://cdn.eideasrl.it/Notice%20of%20Alleged%20Violation%20of%20Intellectual%20Property%20Rights_1770380091603.zip
  • https://quickdocshare.com/DQ/key
  • https://quickdocshare.com/DQ
  • https://transfer.af-k.de:443/webdownload?deliveryUuid=a43da640-777f-40c0-95de-64987150c869
  • 68c926af0d796a80fcaee24774b1ca0a2c393c3a0e30650c4d2d7965736043ca
  • ac591adea9a2305f9be6ae430996afd9b7432116f381b638014a0886a99c6287
  • e675bc054481bdca6f8cd1d561869e18712dc05a42e5c24b9add7679efc7faf6
  • 35efc4b75a1d70c38513b4dfe549da417aaa476bf7e9ebd00265aaa8c7295870

Techniques (MITRE) (18)

Malware (1)

  • PureLog Stealer
    Family
    Published 20/03/2026 08:13 · Modified 20/03/2026 08:13

Others (15)

  • Australia
  • Germany
  • Canada
  • United States of America
  • Education
  • Health
  • Hospitality
  • Government
  • mh.bestshopingday.com
  • logs.bestshopingday.com
  • dq.bestshoppingday.com
  • quickdocshare.com
  • logs.bestsaleshoppingday.com
  • cdn.eideasrl.it
  • transfer.af-k.de

External references