HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Steganographic Phishing Campaign Deploys PureLogs Infostealer to Harvest Credentials Globally

A sophisticated phishing campaign is using image‑based steganography to deliver the PureLogs infostealer to Windows machines. The malware harvests credentials from browsers, crypto wallets, communication apps, and password managers, then exfiltrates the data encrypted over HTTPS, posing a significant third‑party risk.

LiveThreat™ Intelligence · 📅 May 19, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
helpnetsecurity.com

Steganographic Phishing Campaign Deploys PureLogs Infostealer to Harvest Credentials Globally

What Happened – A phishing operation is delivering the PureLogs information‑stealer to Windows workstations by embedding an encrypted .NET loader inside PNG images using steganography. The loader decrypts and runs a .NET assembly that harvests browser passwords, crypto‑wallet keys, communication‑app tokens, password‑manager data, and other credentials, then exfiltrates the data encrypted over HTTPS.

Why It Matters for TPRM

  • Credential theft from third‑party SaaS and on‑prem applications can be leveraged for downstream attacks against your organization’s supply chain.
  • The use of steganography evades many traditional network‑based detections, increasing the likelihood of successful compromise.
  • The breadth of targeted software (browsers, crypto wallets, VPN clients, etc.) expands the attack surface across multiple business units.

Who Is Affected – Enterprises across all sectors that allow employees to use web browsers, crypto‑wallet extensions, password managers, and common communication tools on Windows endpoints.

Recommended Actions

  • Review email‑gateway filtering rules to block unexpected TXZ archives and invoice‑themed lures.
  • Enforce strict endpoint protection policies that detect steganographic payloads and unauthorized PowerShell execution.
  • Conduct credential‑reuse audits and enforce MFA for all privileged and SaaS accounts.
  • Update security awareness training to highlight image‑based steganography and invoice phishing tactics.

Technical Notes – The attack vector is a phishing email with a TXZ archive; the payload uses JavaScript to set environment variables, launches a hidden PowerShell session, and runs a .NET loader (PawsRunner) that decrypts a PNG‑embedded payload via RC4. The final PureLogs infostealer extracts credentials from browsers, over 100 crypto‑wallet extensions, communication apps (Discord, Telegram, Signal), password managers (Bitwarden, LastPass, 1Password), authenticators, and various utilities (Steam, OpenVPN, OBS, FileZilla, etc.). Exfiltration is performed over HTTPS with AES‑encrypted blobs. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/19/purelogs-infostealer-delivery-steganography/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →