Researchers reported an active phishing campaign targeting Windows users with invoice-themed emails that deliver the PawsRunner loader and ultimately deploy the PureLogs .NET infostealer. The attack begins with a TXZ archive containing JavaScript that hides malicious commands in environment variables, launches hidden PowerShell, decrypts an AES- and Gzip-protected payload, and loads a .NET assembly filelessly through reflection. Investigators said PawsRunner has evolved from directly downloading PE files to extracting encrypted payloads hidden inside PNG images, using steganography markers in iTXt and IEND chunks while rotating user-agents and Windows networking APIs to blend in.
The final payload, identified as PureLogs 5.0.0, profiles victims through WMI and steals data from browsers, wallet extensions, cryptocurrency wallets, communication apps, and other local applications before compressing and AES-encrypting exfiltrated data for HTTPS-based command-and-control. Reported indicators include the IP address 5.101.84.202, the URL hxxps://everycarebd[.]com/imagelkjh0987[.]png, and six associated SHA-256 hashes, with defenders also provided hunting queries for domains, URLs, IPs, and file hashes to support detection and incident response.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Xavier Mertens reported a phishing-style infection chain using a legitimate WeTransfer link to a malicious JavaScript file that launched PowerShell via WMI and retrieved image-hosted payloads from Cloudflare Workers and Cloudflare R2. The analysis disclosed technical details including ROT13 and junk-code obfuscation, environment-variable staging, and a DLL disguised as a modified Microsoft.Win32.TaskScheduler library.
FortiGuard Labs analyzed a new PureLogs infostealer variant delivered through purchase-order-themed phishing emails, obfuscated JavaScript, and PowerShell that loads an encrypted .NET module in memory. The report highlighted process hollowing of the legitimate MsBuild.exe process and additional .NET Reactor and IntelliLock protection as new evasion features.
A Gurucul threat report described the same PureLogs-via-PawsRunner steganography campaign and provided detection queries for domains, URLs, IPs, and file hashes. This appears to be a follow-on publication of the already documented campaign rather than a new incident.
FortiGuard Labs reported a phishing campaign using invoice-themed emails, a JavaScript dropper, and the PawsRunner steganography loader to deploy the PureLogs 5.0.0 .NET infostealer on Windows systems. The report also disclosed technical details of the fileless loading chain, C2 behavior, and indicators of compromise.
Over time, the PawsRunner loader changed from directly downloading PE files to extracting encrypted payloads hidden in PNG images, and later added persistence and fallback logic. This reflected a notable escalation in the sophistication of the PureLogs delivery chain.
eSentire publicly detailed Amatera Stealer 4.0.2 Beta, describing its in-memory loader, anti-analysis features, expanded theft targets, and implementation flaws. The report included YARA rules and indicators of compromise to support detection and response.
In late April 2026, eSentire detected and blocked an attempted Amatera Stealer infection in a finance-sector customer environment using a ClickFix-to-PowerShell infection chain. The affected host was isolated and the customer was assisted with remediation.
Since November 2025, the Amatera Stealer malware added stronger string encryption, syscall-resolution techniques, anti-debugging and anti-analysis checks, geofencing, upgraded C2 encryption, and broader data-theft capabilities. These changes marked a significant evolution of the stealer compared with earlier variants.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
11 references tracked. Mallory keeps watching after this page renders.
isc.sans.edu
Open sourcesecurityonline.info
Open sourcecybersecuritynews.com
Open sourcecommunity.gurucul.com
Open sourcecommunity.gurucul.com
Open sourcefortinet.com
Open sourcefeeds.fortinet.com
Open sourceesentire.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.