Steganographic Phishing Campaign Deploys PureLogs Infostealer to Harvest Credentials Globally
What Happened – A phishing operation is delivering the PureLogs information‑stealer to Windows workstations by embedding an encrypted .NET loader inside PNG images using steganography. The loader decrypts and runs a .NET assembly that harvests browser passwords, crypto‑wallet keys, communication‑app tokens, password‑manager data, and other credentials, then exfiltrates the data encrypted over HTTPS.
Why It Matters for TPRM –
- Credential theft from third‑party SaaS and on‑prem applications can be leveraged for downstream attacks against your organization’s supply chain.
- The use of steganography evades many traditional network‑based detections, increasing the likelihood of successful compromise.
- The breadth of targeted software (browsers, crypto wallets, VPN clients, etc.) expands the attack surface across multiple business units.
Who Is Affected – Enterprises across all sectors that allow employees to use web browsers, crypto‑wallet extensions, password managers, and common communication tools on Windows endpoints.
Recommended Actions –
- Review email‑gateway filtering rules to block unexpected TXZ archives and invoice‑themed lures.
- Enforce strict endpoint protection policies that detect steganographic payloads and unauthorized PowerShell execution.
- Conduct credential‑reuse audits and enforce MFA for all privileged and SaaS accounts.
- Update security awareness training to highlight image‑based steganography and invoice phishing tactics.
Technical Notes – The attack vector is a phishing email with a TXZ archive; the payload uses JavaScript to set environment variables, launches a hidden PowerShell session, and runs a .NET loader (PawsRunner) that decrypts a PNG‑embedded payload via RC4. The final PureLogs infostealer extracts credentials from browsers, over 100 crypto‑wallet extensions, communication apps (Discord, Telegram, Signal), password managers (Bitwarden, LastPass, 1Password), authenticators, and various utilities (Steam, OpenVPN, OBS, FileZilla, etc.). Exfiltration is performed over HTTPS with AES‑encrypted blobs. Source: Help Net Security