Threat actors are using copyright-infringement notices to target multiple industry sectors in a fileless phishing campaign that distributes information-stealing malware.
The campaign, aimed at organizations in critical sectors, including healthcare, government, hospitality, and education—attempts to install PureLog Stealer, a low-cost infostealer considered accessible for unauthorized parties to operate, according to a report by Trend Micro.
Primarily, the operation has targeted healthcare and government organizations in Germany and Canada. Trend Micro threat researchers Mohamed Fahmy, Allixon Kristoffer Francisco, and Jonna Santos noted that this indicates selective targeting and a structured, evasive delivery framework rather than simple mass malware distribution. Organizations in the US and Australia were also targeted.
For initial access, threat actors rely on phishing emails that deceive recipients via a sense of urgency into downloading a malicious executable, which is tailored to the recipient's local language. This targeted delivery increases the apparent authenticity of the message and the likelihood of execution.
Recipients of the emails often believe they are reviewing a legal notice informing them of copyright violations. Instead, users manually execute what appears to be a PDF file. This initiates the execution of PureLog via a multistage, in-memory process that relies on multiple loaders and features a series of evasive maneuvers, including a bypass for Windows Defender's Antimalware Scan Interface (AMSI), anti-virtual machine techniques, and heavy code obfuscation.
The researchers note that the campaign uses a combination of social engineering, staged malware delivery, and in-memory execution to evade both detection and forensic analysis.
Phishing sequence designed for evasion
The intrusion sequence is designed from start to finish with a focus on evading detection by users and security teams. Opening the attachment or clicking on the link leads to a compressed archive containing what looks like a benign document, typically a PDF file. The archive also contains supporting files required for execution and a renamed legitimate tool, such as WinRAR, which is used to extract and launch components.
The execution flow features a two-stage loader process. The first loader, which is Python-based, initiates the sequence with an environmental check to detect sandbox or virtual machine environments. Further decryption of the malicious components then occurs through two successive.NET loaders. According to Trend Micro, these loaders obfuscate the execution flow and delay full exposure to the malware.
The Python‑based loader and dual.NET loaders introduce redundancy and fileless execution pathways, ensuring that the final PureLog Stealer component launches reliably without leaving standard artifacts on the disk.
PureLog as the final component
As a further evasion tactic, the malware retrieves decryption keys from a remote server at runtime. This ensures that the components remain encrypted while not in execution mode, preventing security analysts from extracting the final malware without live execution.
This mechanism sets up the final deployment of the PureLog executable. It runs directly in memory—leaving scarcely an artifact trail, and bypasses many traditional defenses. Throughout the entire process, the malware uses AMSI bypass techniques, heavy code obfuscation, and anti-analysis checks to maintain stealth.
Once activated, the PureLog infostealer establishes persistence via registry modifications, captures screenshots, profiles the system, and harvests sensitive data. This includes Chrome browser credentials, browser extensions, cryptocurrency wallets, and system information.
Given its stealthy execution and layered delivery, successful compromise of a targeted system can result in credential theft, account takeover, and downstream unauthorized activity.
Defending against evasive phishing
With phishing campaigns becoming more complex through targeted social engineering and sophisticated evasion tactics—amid a heightened geopolitical environment, it is critical for organizations to remain highly vigilant.
The evasion and obfuscation measures of the PureLog campaign, along with the in-memory execution of the malware, demonstrate the necessity of behavioral detection, network telemetry, and proactive threat hunting. This activity reflects a shift away from broad, opportunistic malware distribution toward more selective targeting across multiple countries.
To protect their environments, organizations can configure email filters to flag or sandbox messages containing legal threats and unexpected attachments. Security awareness training should also help users recognize unexpected legal or financial claims in their inboxes as high-risk items.
Further down the intrusion sequence, defenders can restrict script and loader execution by disabling or tightly controlling unauthorized Python execution on endpoints. Teams can utilize application allowlisting to approve only specific scripts or binaries and monitor for the suspicious use of legitimate tools. Finally, to detect the campaign's in-memory execution and fileless activity, organizations should deploy EDR and XDR solutions configured with memory scanning and behavioral detection capabilities.
(Originally reported by Elizabeth Montalbano)