PureCoder

PureCoder is the developer and seller of the commercial malware family centered on the PureLogs .NET information stealer. Reported offerings associated with PureCoder include PureLogs, PureCrypter, PureMiner, PureHVNC, and a botnet referred to as BlueLoader. PureLogs is described as a commodity .NET stealer used by multiple threat actors and sold via the actor’s website. It is designed to steal browser data such as passwords, cookies, history, autofill data, and extensions; cryptocurrency wallet data from wallets including Armory, Atomic, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, Jaxx, LitecoinCore, Monero, and Zcash; and tokens or credentials from applications including Discord, Telegram, Steam, Outlook, Thunderbird, Pidgin, OpenVPN, and ProtonVPN. Supporting reporting also states that PureLogs can be launched by VMDetectLoader, which performs persistence, environment checks, and execution of the stealer. In one observed December 14, 2022 spam campaign targeting users in Italy, a separate threat actor identified as Alibaba2044 delivered PureLogs via a password-protected ZIP containing a CAB file disguised as a BAT file, which dropped a .NET loader that decrypted the PureLogs DLL in memory and loaded it using .NET Assembly.Load(). Observed ATT&CK techniques in that campaign included user execution, deobfuscation/decoding, defense impairment, system and file discovery, automated collection, local data theft, application-layer C2, and automated exfiltration. No nation-state attribution is stated in the provided content.