We look into a stealthy multi‑stage attack campaign that delivers PureLog Stealer entirely in memory using encrypted, fileless techniques.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

Trend Micro researchers detail a multi-stage PureLog Stealer campaign targeting healthcare, government, hospitality, and education sectors in Germany, Canada, the US, and Australia. The attack begins with phishing emails delivering executables disguised as copyright violation notices in the victim's local language. The infection chain uses DLL sideloading, an encrypted payload fetched as a fake PDF, a remotely retrieved decryption key, and a renamed WinRAR binary to extract the next stage. A Python-based loader (disguised as svchost.exe) then decrypts and executes two redundant .NET loaders protected by ConfuserEx, which reflectively load PureLog Stealer entirely in memory via Assembly.Load(). The loader also bypasses AMSI, establishes registry persistence, captures screenshots, fingerprints the victim machine, and exfiltrates data over HTTPS. Two infection chain variants are documented, one requiring live C&C contact and one fully offline. IOCs and Trend Micro Vision One hunting queries are provided.

Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries