Copyright Complaint Lures Linked to New PureLog Stealer Credential Theft Wave
Criminals are actively deploying the PureLog Stealer malware through a sophisticated, multi-stage assault campaign that disguises itself as legitimate copyright infringement notifications.
This data-stealing malware operates silently to extract sensitive information, including browser credentials, browser extensions, cryptocurrency wallet details, and comprehensive system data.
The attack specifically targets organizations in the healthcare, government, education, and hospitality sectors across Germany, Canada, the United States, and Australia.

Security defenses now use specialized detection models monitoring suspicious executable downloads originating from URLs containing targeted advertising tracking parameters.
The Multi-Stage Infection Chain
According to Trend Micro, the attack sequence begins when a victim executes a malicious file disguised as a legal intellectual property document.
To avoid immediate detection, the malware executes a benign decoy PDF while the malicious payload operates silently in the background.
The malware uses the system command-line tool curl, with the custom “curl/meow_meow” user-agent string, to download an encrypted payload masquerading as an invoice PDF.
Instead of storing the decryption password locally, the malware dynamically retrieves this key from a remote command-and-control server.
This remote key retrieval prevents easy analysis of the payload without active network access and enables operators to closely control payload retrieval.
Upon obtaining the password, the malware extracts the encrypted payload using a renamed WinRAR application disguised as a standard PNG image file.
Advanced Evasion and Loader Capabilities
Following extraction, the malware securely erases staging files and shifts operations into a public Windows directory to mimic legitimate system behavior.
It subsequently executes a fileless Python loader. This loader, renamed as a standard Windows service host component, runs an obfuscated Python script labeled deceptively as a PDF instruction manual.
This Python loader features advanced capabilities specifically designed to bypass modern security measures.

It directly patches the Antimalware Scan Interface in memory to disable security scanning.
The loader establishes registry persistence under the current user to ensure automatic execution upon each system login.
It also conducts comprehensive system fingerprinting by enumerating antivirus products and captures full-screen desktop images, storing the resulting files entirely in memory before exfiltration.
In its final stage, the Python script concurrently launches two identical .NET loaders, providing built-in operational redundancy.

These loaders are heavily protected by ConfuserEx, an advanced obfuscator that fragments application control flow to hinder static analysis.
They utilize Triple-DES encryption and GZip compression algorithms to successfully decrypt the final payload.
The PureLog Stealer is then reflectively loaded directly into system memory.
By executing entirely within the managed memory heap and writing no operational files to the physical hard drive, the malware evades traditional endpoint detection tools monitoring standard file creation events.
Indicators of Compromise (IOCs)
| Indicator Type | Value | Description |
|---|---|---|
| SHA-256 | 35efc4b75a1d70c38513b4dfe549da417aaa476bf7e9ebd00265aaa8c7295870 |
Malicious ZIP Archive Lure |
| SHA-256 | 1539dab6099d860add8330bf2a008a4b6dc05c71f7b4439aebf431e034e5b6ff |
Malicious Executable Lure |
| SHA-256 | ac591adea9a2305f9be6ae430996afd9b7432116f381b638014a0886a99c6287 |
Shellcode Loader (urlmon.dll) |
| Domain | quickdocshare[.]com |
Payload Hosting & Key Retrieval |
| Domain | logs[.]bestshopingday[.]com |
PureLog Stealer C&C Infrastructure |
| IP Address | 166.0.184.127 |
PureLog Stealer C&C Server |
| IP Address | 64.40.154.96 |
Outbound Connection Target |