惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
T
The Exploit Database - CXSecurity.com
P
Proofpoint News Feed
Scott Helme
Scott Helme
NISL@THU
NISL@THU
Cisco Talos Blog
Cisco Talos Blog
C
Cybersecurity and Infrastructure Security Agency CISA
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
J
Java Code Geeks
U
Unit 42
The GitHub Blog
The GitHub Blog
H
Help Net Security
T
Tenable Blog
aimingoo的专栏
aimingoo的专栏
Jina AI
Jina AI
Spread Privacy
Spread Privacy
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
L
Lohrmann on Cybersecurity
T
Threatpost
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Engineering at Meta
Engineering at Meta
A
About on SuperTechFans
I
InfoQ
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog
L
LINUX DO - 最新话题
K
Kaspersky official blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Threat Research - Cisco Blogs
C
Check Point Blog
T
The Blog of Author Tim Ferriss
有赞技术团队
有赞技术团队
宝玉的分享
宝玉的分享
Help Net Security
Help Net Security
Google DeepMind News
Google DeepMind News
A
Arctic Wolf
Y
Y Combinator Blog
N
News | PayPal Newsroom
M
MIT News - Artificial intelligence
Latest news
Latest news
H
Hacker News: Front Page
Blog — PlanetScale
Blog — PlanetScale
腾讯CDC
I
Intezer
爱范儿
爱范儿
F
Fortinet All Blogs
P
Palo Alto Networks Blog
C
CERT Recently Published Vulnerability Notes

Fortinet All Blogs

The TTF Trap: A Global Campaign of a Low-Detection Lua Loader | FortiGuard Labs Helping Law Enforcement Keep Pace with the Future of Cybercrime | Fortinet Blog FortiEndpoint Expands Security for the AI Era | Fortinet Blog Cyber Attacks Leveraging AI Require Behavior-First Security Training, Not Simply Better Awareness | Fortinet Blog The AI Era Needs a New SASE. Here’s What That Actually Looks Like. | Fortinet Blog Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula | FortiGuard Labs Update on Fortinet Use of Frontier AI | CISO Collective Fortinet Supports INTERPOL Operation CyberProtect III Targeting Online Exploitation From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach | FortiGuard Labs Fortinet Launches Its Product Carbon Footprint Calculator FortiSASE Training Builds Skills for Secure Access Success | Fortinet Blog Analysis of Reported Credential Compromise of FortiGate Devices | Fortinet Blog Teaching Cybersecurity the Way It’s Actually Used | Fortinet Blog Introducing FortiSOC: One Platform, Total Control | Fortinet Blog Public-Private Cooperation Is Critical to AI-Driven Cyber Defense | Fortinet Advancing Threat-Informed Defense through Fortinet’s Collaboration with MITRE CTID | Fortinet Threat Actors Weaponize AI Hype to Deliver AsyncRAT | FortiGuard Labs Fortinet Achieves 1 Million People Trained in Cybersecurity Goal Ahead of Schedule | Fortinet Blog While OT Security Is Maturing, Risk Is Not Slowing Down | Fortinet Blog AI Policy Meets Operational Reality: White House AI Cybersecurity Order Calls for Public-Private Coordination | Fortinet Blog Executive Q&A: Strong Q1 Momentum Driven by Differentiated Innovation and Customer Demand | Fortinet Fortinet Earns AV-Comparatives Certification for EDR Detection Visibility | Fortinet Blog Cybercriminals Are Targeting the FIFA World Cup 2026 | FortiGuard Labs Fortinet Achieves AV-Comparatives Certification for Process Injection Protection | Fortinet Blog Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | FortiGuard Labs Battling AI-Based Threats with FortiNDR | Fortinet Blog Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data Defending Critical Infrastructure: Why OT Security Demands a Threat-Informed Approach | CISO Collective Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise | FortiGuard Labs Fortinet Expands Cybersecurity Investment in the United Arab Emirates | Fortinet Blog The Future of Connectivity | Fortinet Blog Fortinet at the World Economic Forum: Frontier AI models, AI-Driven Threats, Deepfakes, and the Future of Cyber Defense | Fortinet Blog The Fortinet 2025 Sustainability Report | Fortinet Blog Supercharged Security: Security in the Time of Mythos | CISO Collective Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign | FortiGuard Labs AI Security Is an Architectural Decision | Fortinet Blog Fortinet Training Institute Wins Industry Accolades | Fortinet Blog Shadow AI: The Invisible Risk Growing Inside Your Organization | Fortinet Blog Leading by Example in Sustainability: Fortinet Expands Global EPD Certification | Fortinet Blog When Cybercrime Becomes an Industry | Fortinet Blog FortiOS 8.0: Redefining Secure Networking in the AI and Quantum Era | Fortinet Blog Securing the Physical World as It Comes Online | Fortinet Blog Why the 2026 AI Cybersecurity Summit Matters | Fortinet Blog DPRK-Related Campaigns with LNK and GitHub C2 | FortiGuard Labs AI Is Changing Application Threats Faster Than Teams Can Adapt | Fortinet Blog Announcing the Fortinet Training Institute’s 2026 ATC Award Winners | Fortinet Blog Disrupting Cybercrime Networks at Scale Requires Sustained Global Collaboration | Fortinet Blog
PureLogs: Delivery via PawsRunner Steganography | FortiGuard Labs
Winnie Lin and Yurren Wan · 2026-05-15 · via Fortinet All Blogs

Affected Platforms: Microsoft Windows
Impacted Users: Any organization
Impact: Attackers Stolen data may be leveraged for follow-on attacks
Severity Level: High

The use of steganography in the threat landscape continues to accelerate. Threat actors are increasingly shifting from direct encrypted transfers to a 'legitimate-file-plus-hidden-data' model, effectively masking their next-stage payloads within everyday media.

FortiGuard Labs recently uncovered a phishing campaign that abuses environment variables to hide malicious commands and uses PawsRunner as a Steganography Loader to deploy the .NET infostealer PureLogs.

Figure 1: Attack flow

This blog outlines the malware's delivery vector and provides a technical analysis of PawsRunner and the subsequent deployment of an evolved PureLogs payload.

Initial Access

The attack campaign begins with a phishing email containing an TXZ archive (an XZ-compressed TAR file) as an attachment, as illustrated in Figure 2. It uses an invoice-themed lure and a sense of urgency to prompt the recipient to open the attachment without delay.

Figure 2: The phishing e-mail

JavaScript

The JavaScript file extracted from the archive contains several functions, each preceded by irrelevant comments. These comments are in a mix of languages, including Chinese, Japanese, Korean, Russian, Hindi, and Arabic, as shown in Figure 3.

Figure 3: Comments are a mix of several languages

The functions declare a large number of Process environment variables containing garbled text. It then launches conhost.exe in headless mode to hide malicious activity. The invoked PowerShell also uses the -w hidden flag to hide the PowerShell window. The command executed is specified by one of these variables.

Figure 4: One of the environment variables executed by PowerShell.

The PowerShell script first retrieves data from Process environment variables, then decodes and decrypts its payload using the AES algorithm, and finally decompresses it using the Gzip method. The resulting .NET assembly—the executable payload—is then loaded and executed dynamically via reflection in a fileless manner.

Figure 5: The resulting .NET assembly is dynamically loaded via reflection.

.NET Assembly Loader

The .Net assembly will decrypt and load the next stage, which is also an executable file.

Figure 6: The next-stage loader is loaded.

The decrypted EXE loader provides various modules. Interestingly, as shown in Figure 7, the loader commonly uses cat photos for its application icon.

Figure 7: The loader uses cat photos for its application icon.

The loader initializes static fields with configuration data, including an encrypted payload URL, user-agent, seed, magic number, and other settings. Additionally, it loads native libraries and resolves addresses for necessary API functions.

Figure 8: Initializing static fields with configuration data.

After the initial setup, the loader performs preliminary configuration to prepare for download. The download URL is decrypted using the RC4 algorithm, as shown in Figure 9.

Figure 9: The download URL is decrypted.

After that, the download module cycles through three hard-coded pairs of user-agents and three network APIs (HttpClient, WebClient, and WebRequest), as shown in Figure 10.

Figure 10: The loader iterates different network APIs to download data.

Furthermore, when issuing the download request, the loader specifies a hierarchical preference in the Accept header. It prioritizes image/png, then image/*, and finally */*, explicitly requesting the server to return a PNG image as the preferred response type if available.

The downloaded data may contain three types of content: HTML, Base64-encoded data, and a PNG file. It is processed accordingly based on its type.

  • For HTML content, a new URL is extracted from the HTML, the original download link is replaced with it, and the data is then attempted to be downloaded from the updated URL.
  • Base64-encoded data is first decoded. The decoded data and the PNG file are then processed in the same way: the image file uses steganography to conceal data within the picture and uses “iTXt” and “IEND” chunks as markers to locate the encrypted data. This data is then used to decrypt the next stage of the payload. Interestingly, the PNG files we have downloaded also include images of cats.

After decoding the PNG file, we obtained another .NET execution file.

Figure 11: Data embedded in the PNG file.

However, the loader also provides a fallback mechanism. If the download fails or the payload cannot be extracted from the downloaded data, it will use an alternate set of URLs from the configuration as a fallback. In the sample we’ve analyzed, the fallback URLs are empty.

After bypassing ETW and Windows 11 (24H2) security features, the next-stage payload is executed.

We have been tracking similar loaders since March of this year and have observed several evolutions. Initially, the loader simply downloaded and executed a PE file. It later transitioned to extracting an encrypted payload from image files using steganography.

Furthermore, a version discovered in early April included a persistence module. Notably, the initial versions lacked a fallback URL mechanism. However, since the beginning, the loader has consistently attempted to download data using various Network APIs, and the decrypted EXE loader has consistently used cat photos for its application icon.

Figure 12: The initial version simply downloaded and executed a PE file.

A closer examination of the loader revealed strong similarities to a previously unidentifiedprogram. Its initialization routines, naming conventions, and methods for resolving required API functions are very similar to those of that program, as illustrated in Figure 13. Consequently, we chose the name from the earlier sample and call this loader PawsRunner.

Figure 13: The loader is highly similar to PawsRunner.

The next section provides a detailed examination of 'Purelogs,' the final-stage payload delivered by PawsRunner.

PureLogs is an infostealer from the Pure family of products developed by PureCoder. As the most prominent member of the Pure family’s malware, it uses .NET Reactor for protection and employs Protobuf serialization for its configuration data.

In this attack campaign, the executable first loads a resource-only assembly that contains no executable code, only resource data. It then decrypts and decompresses the resource data as a .NET DLL using TripleDES and Gunzip, as shown in Figure 14.

Figure 14: Loading a resource-only assembly for the next stage.

This DLL acts as a downloader. It first parses Base64-encoded data and then deserializes it to obtain the final configuration.

Figure 15: Configuration

After retrieving the configuration, the malware extracts the C2 server details, Build ID, AES key, a mutex name, and feature flags. As shown in Figure 16, it then executes asynchronous methods to send an HTTP request to the /ping endpoint over TLS to verify connectivity. Once the connection is confirmed, it retrieves the next-stage payload by requesting the /plugin endpoint.

Figure 16: Concatenating the URL within TestConnectionAsync.

The downloaded encrypted payload must be decrypted with AES-256 in CBC mode, using the key specified in the configuration. After decryption and decompression with gzip, the PureLogs core DLL is loaded into memory, and its entry point is invoked.

PureLogs retrieves its configuration from parameters passed during invocation. Consistent with the previous layer, this component performs a connectivity test before initiating the collection routine. It first collects the victim information as detailed below and reports it to the C&C server via an HTTP request. It then gathers victim system information—as detailed below—and exfiltrates it to the C2 server via HTTP requests. This stage leverages Windows Management Instrumentation (WMI) to profile the victim's system environment. Based on the configuration, the version appears to be 5.0.0.

Figure 17: Sending the collected information to the remote server using /userinfo

Next, it performs a series of asynchronous tasks as shown in Figure 18—<CreateDemoApplicationAsync>, <CreateDemoBrowserDataAsync>, <CreateDemoBrowserDataAsync>, <CreateDemoDiscordAsync>, and <CreateDemoFileSearchAsync>—each similar to the previous version. The key difference is that, in this version, it sends updates to a remote server during each task via HTTP requests.

Figure 18: The harvesting routine is executed via asynchronous tasks.

The following is a list of harvested items:

Web browsers:

Google Chrome, Chrome Beta, Chrome SxS, Chrome Dev, Chrome Unstable, Chrome Canary, Chromium, Microsoft Edge, Brave, Epic Privacy Browser, Amigo, Vivaldi, Kometa, Orbitum, Mail.Ru Atom, Comodo Dragon, Torch, Comodo, 360 Chrome, Slimjet, Maxthon, QQ Browser, K-Meleon, Xpom, Lenovo SLBrowser, Xvast, Go!, Safer Secure Browser, Sputnik, Nichrome, CocCoc, Uran, Chromodo, 7Star, Chedot, CentBrowser, Iridium, Elements Browser, Citrio, Sleipnir, QIP Surf, Liebao, Coowon, ChromePlus, Rafotech Mustang, Suhba, TorBro, RockMelt, Bromium, Twinkstar, iTop Private Browser, CCleaner Browser, AcWebBrowser, CoolNovo, Baidu Spark, SRWare Iron, Titan Browser, AVAST Browser, AVG Browser, UC Browser, UR Browser, Blisk, Flock, CryptoTab, Sidekick, SwingBrowser, Superbird, SalamWeb, GhostBrowser, NetboxBrowser, GarenaPlus, Kinza, InsomniacBrowser, ViaSat, Naver Whale, Falkon, Sogou Explorer, Opera Stable, Opera GX, Opera Neon, Opera Crypto Developer, Yandex Browser, Firefox, SeaMonkey, Waterfox, K-Meleon, Thunderbird, IceDragon, Cyberfox, BlackHawk, Pale Moon, Basilisk, BitTube, SlimBrowser, LibreWolf, Mercury.

Extensions: (crypto wallets, password managers, and authenticators)

lgmpcpglpngdoalbgeoldeajfclnhafa-SafePal
phkbamefinggmakgklpkljjmgibohnba-Pontem Aptos
mcohilncbfahbmgdjkbpemcciiolgcge-OKX
idnnbdplmphpflfnlkomgpfbpcgelopg-xverse.app
opfgelmcmbiajamepnmloijbpoleiama-Rainbow
ocjdpmoallmgmjbbogfiiaofphbjgchh-Elli-Sui
gojhcdgcpbpfigcaejpfhfegekdgiblk-Opera
ejjladinnckdgjemekebdpeokbikhfci-Petra Aptos
gjagmgiddbbciopjhllkdnddhcglnemk-Hashpack
afkoofjocpbclhnldmmaphappihehpma-zkPass TransGate
abogmiocnneedmmepnohnhlijcjpcifd-Blade-Hedera Web3 Digital
fcfcfllfndlomdhbehjjcoimbgofdncg-Leap Cosmos
kppfdiipphfccemcignhifpjkapfbihd-Frontier
jgaaimajipbpdogpdglhaphldakikgef-Coinhub
ifclboecfhkjbpmhgehodcjpciihhmif-Klever
loinekcabhlmhjjbocijdoimmejangoa-Glass-Sui
dngmlblcodfobpdpecaadgfbcggfjfnm-MultiversX DeFi
ebfidpplhabeedpnhjnobghokpiioolj-Fewcha Move
mmmjbcfofconkannjonfmjjajpllddbg-Fluvi
cnncmdhjacpkmjmkcafchppbnpnhdmon-HAVAH
onhogfjeacnfoofkfgppdlbmlmnplgbn-SubWallet - Polkadot
anokgmphncpekkhclmingpimjmcooifb-compass-wallet-for-sei
hbbgbephgojikajhfbomhlmmollphcad-Rise - Aptos
heefohaffomkkkphnlpohglngmbcclhi-Morphis
jkjgekcefbkpogohigkgooodolhdgcda-BitPay
ojggmchlghnjlapmfbnjholfjkiidbch-Venom
ibnejdfjmmkpcnlpebklmnkoeoihofec-TronLink
fihkakfobkmkjojpchpfgcmhfjnmnfpi-BitApp
nkbihfbeogaeaoehlefnkodbefgpgknn-MetaMask
aholpfdialjgjfhomihkjbmgjidlcdno-Exodus
egjidjbpglichdcondbcbdnbeeppgdph-Trust
jnlgamecbpmbajjfhmmmlhejkemejdma-Braavos Smart
ffnbelfdoeiohenkjibnmadjiehjhajb-Yoroi
fhbohimaelbohpjbbldcngcnapndodjp-Binance Chain
aiaifbiceejhhkfbjdgonjgljkpcdhch-Jaxx Liberty
kncchdigobghenbbaddojjnnaogfppfj-iWallet
ijmpgkjfkbfhoebgogflfebnmejmfbml-BitClip
aiifbnbfobpmeekipheeijimdpnlpgpp-Terra Station
hifafgmccdpekplomjjkcfgodnhcellj-EQUAL
amkmjjmmflddogmhpjloimipbofnfjih-Wombat
jnldfbidonfeldmalbflbmlebbipcnle-Nifty
afbcbjpbpfadlkmhmclhkeeodmamcflc-Math
hpglfhgfnhbgpjdenjgmdgoeiappafln-Guarda
aeachknmefphepccionboohckonoeemg-Coin98
mnfifefkajgofkcjkemidiaecocnkjeh-TezBox
dkdedlpgdmmkkfjabffeganieamfklkm-Cyano
hnfanknocfeofbddgcijnmhnfnkdnaad-Coinbase
bfnaelmomeimhlpmgjnjophhpkkoljpa-Phantom
fcckkdbjnoikooededlapcalpionmalo-MOBOX
bocpokimicclpaiekenaeelehdjllofo-XDCPay
bhhhlbepdkbapadjdnnojkbgioiodbic-Solana
cmndjbecilbocjfkibfbifhngkdmjgog-Swash
cjmkndjhnagcfbpiemnkdpomccnjblmj-Finnie
dmkamcknogkgcdfhhbddcghachkejeap-Keplr
kpfopkelmapcoipemfendmdcghnegimn-Liquality
hgmoaheomcjnaheggkfafnjilfcefbmo-Rabet
fnjhmkhhmkbjkkabndcnnogagogbneec-Ronin
klnaejjgbibmhlephnhpmaofohgkpgkd-ZilPay
hmeobnfnfcmdkdcmlblgagmfpfboieaf-XDEFI
lpilbniiabackdjcionkobglmddfbcjo-Waves Keeper
gflpckpfdgcagnbdfafmibcmkadnlhpj-GreenAddress
fhmfendgdocmcbmfikdcogofphimnkno-Sollet
flpiciilemghbmfalicajoolhkkenfel-ICONex
nlbmnnijcnlegkjjpcfjclmcfggfefdm-MEW CX
cphhlgmgameodnhkjdmkpanlelnlohao-NeoLine
hcflpincpppdclinealmandijcmnkbgn-KHC
nlgbhdfgdhgbiamfdfmbikcdghidoadd-Byone
ilbbpajmiplgpehdikmejfemfklpkmke-OneKey
pfknkoocfefiocadajpngdknmkjgakdg-MetaWallet
bhmlbgebokamljgnceonbncdofmmkedg-Atomic
hieplnfojfccegoloniefimmbfjdgcgp-Electrum
pidhddgciaponoajdngciiemcflpnnbg-Mycelium
blbpgcogcoohhngdjafgpoagcilicpjh-Coinomi
doljkehcfhidippihgakcihcmnknlphh-Edge
nbokbjkelpmlgflobbohapifnnenbjlh-BRD
apjdnokplgcjkejimjdfjnhmjlbpgkdi-Samourai
jifanbgejlbcmhbbdbnfbfnlmbomjedj-Bread
dojmlmceifkfgkgeejemfciibjehhdcl-KeepKey
pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln-Ledger Live
hbpfjlflhnmkddbjdchbbifhllgmmhnm-Ledger
ocmfilhakdbncmojmlbagpkjfbmeinbd-Bitbox
dbhklojmlkgmpihhdooibnmidfpeaing-Digital Bitbox
pnlccmojcmeohlpggmfnbbiapkmbliob-RoboForm
cnlhokffphohmfcddnibpohmkdfafdli-MultiPassword
aeblfdkhhhdcdjpifhhbdiojplfjncoa-1Password-fox
fdjamakpfbbddfjaooikfcpapjohcfmg-Dashlane
lgbjhdkjmpgjgcbcdlhkokkckpjmedgc-DualSafe Password Manager
imloifkgjagghnncjkhggdhalmcnfklk-Trezor Password Manager
gaedmjdfmmahhbjefcbgaolhhanlaolb-Authy
bhghoamapcdpbohphigoooaddinpkbai-Authenticator
ilgcnhelpchnceeipipijaljkblbcobl-GAuth Authenticator
oeljdldpnmdbchonielidgobddffflal-EOS Authenticator
oboonakemofpalcgghocfoadofidjkkk-KeePassXC
nngceckbapebfimnlniiiahkandclblb-Bitwarden
fooolghllnmhmmndgjiamiiodkpenpbb-NordPass
bfogiafebfohielmmehodmfbbebbbpei-Keeper
hdokiejnpimakedhajhdlcegeplioahd-LastPass
naepdomgkenhinolocfifgehidddafch-BrowserPass
bmikpgodpkclnkgmnpphehdgcimmided-MYKI
jhfjfclepacoldmjmkmdlmganfaalklb-Splikity
chgfefjpcobfbnpmiokfjjaglahmnded-CommonKey
nhhldecdfagpbfggphklkaeiocfnaafm-SAASPASS
fpabdmjmldajnkijknogckkhlmbnfiog-Telos Authenticator
igkpcodhieompeloncfnbekccinhapdb-Zoho Vault
admmjipmmciaobhojoghlmleefbicajg-Norton Password Manager
caljgklbbfbcjjanaijlacgncafpegll-Avira Password Manager
ppdjlkfkedmidmclhakfncpfdmdgmjpm-Aegis Authenticator
cfoajccjibkjhbdjnpkbananbejpkkjb-LastPass Authenticator
lbfeahdfdkibininjgejjgpdafeopflb-KeePass
eidlicjlkaiefdbgmdepmmicpbggmhoj-Duo Mobile
bobfejfdlhnabgglompioclndjejolch-OTP Auth
elokfmmmjbadpgdjmgglocapdckdcpkn-FreeOTP
klghhnkeealcohjjanjjdaeeggmfmlpl-Zerion
pdliaogehgdbhbnmkklieghmmjkpigpa-Bybit
cpmkedoipcpimgecpmgpldfpohjplkpp-Gate
jiidiaalihmmhddjgbnbgdfflelocpak-Bitget
apenkfbbpmhihehmihndmmcdanacolnh-SafePal
cpojfbodiccabbabgimdeohkkpjfpbnf-Rainbow
ejbalbakoplchlghecdalmeeeajnimhm-MetaMask
hkkpjehhcnhgefhbdcgfkeegglpjchdc-Braavos Smart
akoiaibnepcedcplijmiamnaigbepmcb-Yoroi
mlbafbjadjidklbhgopoamemfibcpdfi-Binance Chain
ajkhoeiiokighlmdnlakpjfoobnjinie-Terra Station
nggcakhlblakghejdigkaekbhicfkckn-EQUAL
oemdnnhhfhdhilalibobndhoahcaiboe-Wombat
dfeccadlilpndjjohbjdblepmjeahlmm-Math
iaociiajffacjhhmleclkjdchjhdmjpb-TezBox
ocodgmmffbkkeecmadcijjhkmeohinei-Keplr
kjmoohlgokccodicjjfebfomlbljgfhk-Ronin
nkaemodamjfefjgbefolnpnlccpdfpap-Waves Keeper
bbcinlkgjjkejfdpemiealijmmooekmp-LastPass
lfochlioelphaglamdcakfjemolpichk-Keeper Password Manager
jbkfoedolllekgbhcbcoahefnbanhhlh-bitwarden
ljfpcifpgbbchoddpjefaipoiigpdmag-RoboForm
ocglkepbibnalbgmbachknglpdipeoio-Authenticator
dppgmdbiimibapkepcbdbmkaabgiofem-1Password
pdffhmdngciaglkoonimfcmckehcpafo-KeePassXC
gehmmocbbkpblljhkekmfhjpfbkclbph-Dashlane
nofkfblpeailgignhkbnapbephdnmbmn-MYKI
ghocjofkdpicneaokfekohclmkfmepbp-Exodus Web3
heaomjafhiehddpnmncmhhpjaloainkn-Trust
djclckkglechooblngghdinmeemkbgci-MetaMask
acdamagkdfmpkclpoglgnbddngblgibo-Guarda
okejhknhopdbemmfefjglkdfdhpfmflg-BitKeep
mijjdbgpgbflkaooedaemnlciddmamai-Waves Keeper

Wallet applications:

Qtum, Ethereum, Bitcoin, Dogecoin, Monero, DashCore, Litecoin, Bytecoin, Coinomi, Armory, MultiBit, Exodus, Electrum, Electrum-LTC, Atomic, Guarda, BitPay, Wasabi, ElectronCash, Sparrow, IOCoin, PPCoin, BBQCoin, Mincoin, DevCoin, YACoin, Franko, FreiCoin, InfiniteCoin, GoldCoin, Binance, Terracoin, Daedalus Mainnet, MyMonero, MyCrypto, Bisq, Zap, Simpleos, Neon, bitmonero, Etherwall.

Communication applications:

Discord, DiscordCanary, DiscordPTB, DiscordDevelopment, Lightcord, Telegram, Signal, Pidgin.

Others:

Steam, OpenVpn, PhontanVPN, Ngrok, OBS Studio, FileZilla, WinSCP, FoxMail, MailBird, MailMaster, Outlook.

For C2 communication, instead of using sockets like the previous version, it uses HTTP requests with different endpoints for each action, including /ping, /plugin, /userinfo, /browser, /application, /crypto, /discord, /filesearch/req, /filesearch/res, and /finish.

As shown in Figure 19, PureLogs transmitted the harvested data through multiple requests, using specified URLs and the POST method based on the type of collected data. All transmitted data was encrypted with AES and compressed with Gzip.

Figure 19: Network Communication with C2.

Conclusion

Don't let seemingly harmless media files fool you. Increasingly, malware uses steganography to hide within these files. From strange bitmaps to cute cat pictures, everyday images are being weaponized to secretly transmit encrypted malicious code across networks without raising suspicion.

In this article, we uncovered an attack campaign involving a new steganography loader, PawsRunner, to deliver the well-known .NET infostealer, PureLogs. The infection chain begins with a phishing email that delivers a TXZ archive. The embedded JavaScript uses a sophisticated technique to store decoded malicious commands in environment variables, which then triggers a decrypted steganographic .NET loader. This loader retrieves the final payload by extracting encrypted data hidden within a cat image. This version of PureLogs uses extensive async/await patterns to improve task efficiency and complicate analysis. Additionally, it uses HTTPS for its Command and Control (C2) communications.

Fortinet Protections

The malware described in this report are detected and blocked by FortiGuard Antivirus as:

EML/Phishing.973A!tr
JS/Formbook.VEN!tr
MSIL/Agent.6942!tr
MSIL/WSA!tr
MSIL/Kryptik.AQAJ!tr
MSIL/WOF!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard Antivirus Service. The FortiGuard antivirus engine is included in each of those solutions. As a result, customers with these products and up-to-date protections are protected, and customers can enforce the blocking of the unusual TXZ file format.

The FortiGuard CDR (content disarm and reconstruction) service can disarm malicious macros within the document.

FortiGuard Labs provides the Purelogs.Botnet IPS signature to block communications with the PureLogs C2 network.

We also suggest that organizations take the free Fortinet Certified Fundamentals (FCF) cybersecurity training. The training is designed to help users understand today's threat landscape and to introduce basic cybersecurity concepts and technology.

FortiGuard IP Reputation and the Anti-Botnet Security Service proactively block malware attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence on hostile sources.

If you believe this or any other cybersecurity threat has affected your organization, please contact the Global FortiGuard Incident Response Team.

IOCs

C2:

5[.]101[.]84[.]202

URLs:

hxxps://everycarebd[.]com/imagelkjh0987[.]png

SHA256:

8d0bcde739929fe41a6bcaaa62f7cba802af90b2ba8dea6ed1a4821236cdd588
6910d27b9e1dc2229a8c280f5d0cea85146d50274c56a4d9a5b8d1793505b1b9
93724f1a9ad3a28c171927fc449ac34dc6ca890f915f00210e8b305577388c6e
0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e
1b730de72f921458b6b162b105a9521a931f07e19d3cac53207c7a8efbc412f9
e2308749f6b7b7573009d0cac6616a6aa83cecb1f2933e868776400d122c86ec