A phishing campaign targeting healthcare, government, hospitality, and education sectors in Germany, Canada, the US, and Australia delivers PureLog Stealer malware disguised as copyright infringement legal notices. Victims are tricked into executing what appears to be a PDF, which triggers a multi-stage, fileless infection chain using a Python-based loader, dual .NET loaders, AMSI bypass, anti-VM checks, and heavy obfuscation. The final payload runs entirely in memory, harvesting browser credentials, cryptocurrency wallets, screenshots, and system data. Trend Micro researchers highlight the campaign's shift toward selective targeting and recommend behavioral EDR/XDR detection, application allowlisting, restricting unauthorized Python execution, and user training to treat unexpected legal notices as high-risk.
Sort: