Steganography and Stealth: How the PawsRunner Loader Deploys PureLogs Infostealer

Modern threat actors are increasingly moving away from overt malicious files, opting instead for sophisticated “living-off-the-land” techniques and data concealment. A recent campaign has highlighted a particularly effective evolution in this trend, demonstrating how attackers can leverage innocuous-looking assets to bypass traditional perimeter defenses.

The infection chain typically begins with a highly targeted phishing email containing a TXZ archive. Using social engineering tactics—often disguised as an “urgent invoice”—the attackers create a sense of temporal pressure to discourage the user from performing deep file inspection. Once the archive is extracted, the victim is met with a JavaScript file that serves as the initial stage of the infection.

To frustrate automated sandbox analysis and manual reverse engineering, the JavaScript is cluttered with a massive amount of “noise.” This includes misleading comments written in a diverse array of languages, including Chinese, Japanese, Korean, Russian, Hindi, and Arabic. Beneath this linguistic camouflage, the script defines a series of environment variables that house obfuscated malicious commands.

The script then initiates a silent execution flow by launching PowerShell in hidden mode via conhost.exe. To maintain a minimal forensic footprint, the script employs a sophisticated in-memory execution strategy: it decrypts its primary payload using AES, decompresses it via Gzip, and executes it directly in memory through reflection. This ensures that the malicious code never touches the physical disk in its unencrypted state.

This decrypted payload is identified as PawsRunner, a custom .NET-based loader. According to a report from FortiGuard Labs, PawsRunner acts as a highly modular delivery vehicle for the PureLogs infostealer. A unique, almost whimsical signature of this loader is its frequent use of cat images as its application icon—a small detail that has become a consistent trait across analyzed samples.

PawsRunner is architected for resilience. It initializes complex configuration data, including encrypted Command-and-Control (C2) URLs and specific network settings. It utilizes RC4 decryption to unlock these URLs and employs a rotation of APIs, such as HttpClient and WebRequest, to attempt payload downloads. If a primary download path fails, the loader utilizes fallback mechanisms to maintain its connection to the attacker’s infrastructure.

Attack flow (Source : FortiGuard).
Attack flow (Source : FortiGuard).

The Steganographic Pivot: Hiding in Plain Sight

The most significant technical innovation in this campaign is the loader’s reliance on steganography. Rather than downloading traditional executable files, PawsRunner prioritizes PNG images in its HTTP responses. This is a clever evasion tactic; most security gateways view image files as low-risk.

When a PNG is retrieved, the loader scans the image’s internal structure for specific markers within PNG chunks, such as iTXt and IEND. The encrypted payload is embedded within these chunks. To a casual observer or a standard antivirus scanner, it appears to be a harmless cat photo; to PawsRunner, it is a container for the next stage of the attack.

Comments are a mix of several languages (Source : FortiGuard).
The JavaScript noise layer uses a mix of several languages to evade analysis (Source : FortiGuard).

The Final Payload: PureLogs Infostealer

Once the loader has successfully extracted the payload from the image, it deploys PureLogs. This is a sophisticated .NET-based infostealer belonging to the Pure malware family. The developers use .NET Reactor for advanced obfuscation and Protobuf for efficient configuration handling.

The execution flow of PureLogs is highly disciplined. It first loads a resource-only assembly, which is decrypted via TripleDES and decompressed into a functional DLL. This component is responsible for pulling critical environmental data, such as C2 server details and campaign-specific encryption keys. Before the heavy lifting begins, the malware performs a “heartbeat” check by hitting a /ping endpoint on its C2 server. Once connectivity is confirmed, it pulls specialized modules from /plugin endpoints, decrypts them with AES-256, and executes them in memory.

The loader uses cat photos for its application icon (Source : FortiGuard).
The loader uses cat photos for its application icon (Source : FortiGuard).

PureLogs is an aggressive data harvester. It utilizes Windows Management Instrumentation (WMI) to profile the target system and systematically exfiltrates a vast array of sensitive data, including:

  • Browser Intelligence: Credentials, cookies, autofill data, and history from all Chromium- and Firefox-based browsers.
  • Financial Assets: Cryptocurrency wallet addresses, private keys, and browser extensions.
  • Identity & Access: Password manager databases and authenticator app data.
  • System Configuration: VPN profiles, messaging application data, and sensitive local files.

To maximize efficiency and avoid detection by network traffic analyzers, PureLogs uses asynchronous operations. Data is compressed with Gzip and sent via encrypted HTTP POST requests to dedicated endpoints like /browser, /crypto, and /filesearch.

Configuration (Source : FortiGuard).
Internal malware configuration structure (Source : FortiGuard).

This campaign marks a significant shift toward the “legitimate-file-plus-hidden-data” paradigm. As attackers move toward embedding payloads within common file types like PNGs, traditional signature-based detection becomes insufficient. Organizations must transition toward behavior-based detection, monitoring for unusual outbound HTTP traffic and deep file structure inspection to defend against these “hidden in plain sight” threats.

Indicators of Compromise (IOCs)

Command & Control (C2):

5[.]101[.]84[.]202

URLs:

hxxps://everycarebd[.]com/imagelkjh0987[.]png

SHA256 Hashes:

  • 8d0bcde739929fe41a6bcaaa62f7cba802af90b2ba8dea6ed1a4821236cdd588
  • 6910d27b9e1dc2229a8c280f5d0cea85146d50274c56a4d9a5b8d1793505b1b9
  • 93724f1a9ad3a28c171927fc449ac34dc6ca890f915f00210e8b305577388c6e
  • 0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e
  • 1b730de72f921458b6b162b105a9521a931f07e19d3cac53207c7a8efbc412f9
  • e2308749f6b7b7573009d0cac6616a6aa83cecb1f2933e868776400d122c86ec

Security Note: IP addresses and domains are defanged (e.g., [.]) to prevent accidental execution. Please re-fang these indicators only within secure, isolated threat intelligence platforms such as MISP, VirusTotal, or your enterprise SIEM.

Related Articles

Back to top button