Malware - New Campaign Using Copyright Lures Unleashes PureLog Stealer

What Happened

A new malware campaign has emerged, targeting organizations across multiple sectors, including healthcare, government, education, and hospitality. This campaign cleverly disguises itself using copyright violation notices to deliver PureLog Stealer, a potent information-stealing malware. First analyzed in March 2026, the campaign tricks victims into executing a malicious file that appears to be a legitimate legal document. Once the file is opened, it triggers a series of events that lead to sensitive data being stolen from the victim’s machine.

PureLog Stealer is notorious for harvesting various types of sensitive information, including browser credentials, cryptocurrency wallet data, and system information. Its low-cost and user-friendly nature means that even less-skilled threat actors can deploy it effectively. The campaign employs phishing emails with malicious download links, rather than direct attachments, making it more deceptive and harder to detect.

Who's Being Targeted

The campaign has primarily focused on organizations in Germany and Canada, but additional victims have been reported in the United States and Australia. The targeted industries are particularly vulnerable due to their frequent dealings with legal notices and compliance documents. This makes the copyright lure format appear highly credible to unsuspecting recipients.

The selective targeting and localized delivery of these phishing emails suggest a well-structured operation rather than a random mass spam campaign. This level of sophistication increases the risk of successful infections, as victims are more likely to trust the content of the emails they receive.

Signs of Infection

Once the victim executes the malicious file, a command interpreter launches silently in the background, while a harmless-looking decoy PDF opens on the screen to distract the user. The malware then contacts attacker-controlled servers to download an encrypted archive disguised as a PDF file. This design makes offline analysis nearly impossible, as the attackers can control or cancel each infection remotely.

The infection chain involves several clever tactics, including bypassing Windows Defender’s Antimalware Scan Interface by patching memory directly. This ensures that the malware can operate undetected, as traditional antivirus tools may miss it due to its fileless execution design. The malware establishes persistence in the system, ensuring it restarts automatically with every user login.

How to Protect Yourself

Organizations must train employees to treat unexpected emails about copyright violations with skepticism, especially those containing download links. Security teams should monitor registry Run keys for unusual entries and watch for suspicious processes executing from non-standard directory paths. Blocking outbound connections to known malicious domains is crucial.

Behavioral detection tools and network telemetry are essential, as traditional signature-based antivirus may not detect this campaign effectively. By adopting a proactive approach to cybersecurity and enhancing employee awareness, organizations can significantly reduce their risk of falling victim to such sophisticated malware campaigns.