Attackers use a phishing campaign with TXZ archive attachments and invoice-themed lures to deliver a .NET infostealer called PureLogs version 5.0.0. The embedded JavaScript hides malicious commands via environment variables and launches PowerShell to decode and decrypt payloads. The PawsRunner loader uses steganography to extract encrypted data from PNG images containing cat photos, evolving from simple PE downloads to sophisticated steganographic extraction with fallback mechanisms. PureLogs harvests credentials from various applications including browsers, cryptocurrency wallets, and password managers, and communicates with its command and control infrastructure via HTTPS using multiple endpoints to exfiltrate encrypted and compressed stolen data.

The PureLogs malware harvests sensitive credentials from browsers, cryptocurrency wallets, password managers, communication applications, and other software, potentially leading to credential theft and unauthorized access to victims' accounts and assets. The use of steganography and environment variable obfuscation helps evade detection, increasing the likelihood of successful infection and data exfiltration. There are no reports of known exploits in the wild at this time.

No official patch or remediation guidance is available for this threat. Organizations should rely on detection and prevention controls such as email filtering to block phishing attempts, endpoint protection capable of detecting steganographic loaders and .NET infostealers, and network monitoring for suspicious HTTPS traffic to known malicious endpoints. Since this is a malware delivery technique rather than a software vulnerability, patching is not applicable. Regular user awareness training to recognize phishing lures is recommended.