A phishing campaign targeting healthcare, government, hospitality, and education sectors in various countries uses several evasion techniques to avoid detection.
Attackers are using copyright-infringement notices to target multiple industry sectors in a fileless phishing campaign that delivers data-stealing malware.
The attack — aimed at organizations in critical sectors, including healthcare, government, hospitality, and education — attempts to install PureLog Stealer, a low-cost infostealer considered easy for would-be threat actors to use, according to a report by Trend Micro released Monday.
Primarily, the campaign has targeted healthcare and government organizations in Germany and Canada, "demonstrating selective victimology and a structured, evasive delivery framework rather than simple mass malware distribution," noted Trend Micro threat researchers Mohamed Fahmy, Allixon Kristoffer Francisco, and Jonna Santos in the post. Organizations in the US and Australia were also targeted.
For initial access, attackers rely on phishing emails that lure victims via a sense of urgency into downloading a malicious executable tailored to the victim's local language. This targeted delivery bolsters their authenticity and, thus ,the opportunity for success, according to the researchers.
Related:C2 Implant 'SnappyClient' Targets Crypto Wallets
Victims of the attack believe they are receiving a legal notice informing them of copyright violations; instead, the victims manually execute what looks like a PDF file that begins execution of PureLog via a multistage, in-memory process that uses more than one loader and features a series of evasive maneuvers — including a bypass for Windows Defender's Antimalware Scan Interface (AMSI), anti-virtual machine techniques, and heavy obfuscation.
"The campaign uses a combination of social engineering, staged payload delivery, and in-memory execution to evade both detection and forensic analysis," the researchers noted.
The execution change features a two-stage loader process, with the first one, which is Python-based, initiating the infection chain with an environmental check for sandbox or virtual machine detection. Further decryption of payload components then occurs in the form of two successive .NET loaders, which also serve to obfuscate execution flow and delay full exposure to the payload, according to Trend Micro.
Related:Nation-State Actor Embraces AI Malware Assembly Line
"The Python‑based loader and dual .NET loaders introduce redundancy and fileless execution pathways, ensuring that the final PureLog Stealer payload is launched reliably and without leaving artifacts on disk," the researchers wrote.
This sets up the final deployment of the PureLog payload, which is executed directly in memory — again, leaving scarcely an artifact trail — and bypassing many traditional defenses, the researchers noted. Throughout the entire process, the malware uses AMSI bypass techniques, heavy code obfuscation, and anti-VM and -analysis checks as part of its evasive maneuvers.
Once activated, the PureLog infostealer establishes persistence via registry modifications, captures screenshots, profiles the system, and harvests sensitive data, including Chrome browser credentials, extensions, cryptocurrency wallets, and system information.
Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRL
Given its stealthy execution and layered delivery, successful compromise of a targeted system can result in credential theft, account takeover, and downstream intrusion activity, the researchers said.
Trend Micro said the evasion and obfuscation measures of the PureLog campaign, along with the in-memory execution of the malware, emphasize the importance of behavioral detection, network telemetry, and proactive threat hunting. "Overall, this activity reflects a shift away from broad, opportunistic malware distribution toward more selective targeting, with observed victims in government, healthcare, education, and hospitality sectors across multiple countries," the researchers wrote.
To avoid compromise, organizations can set filters to flag or sandbox messages with legal threats and attachments, as well as train users to view any unexpected legal or financial claims that turn up in their inboxes as high risk.
Further down the attack chain, defenders can restrict script and loader execution by disabling or controling tightly unauthorized Python execution on endpoints; using application allowlisting to approve only certain scripts or binaries; and monitoring for suspicious use of legitimate tools. Finally, to detect the campaign's in-memory execution and fileless activity, organizations should deploy EDR/XDR with memory scanning and behavioral detection.
Attackers are using copyright-infringement notices to target multiple industry sectors in a fileless phishing campaign that delivers data-stealing malware.
The attack — aimed at organizations in critical sectors, including healthcare, government, hospitality, and education — attempts to install PureLog Stealer, a low-cost infostealer considered easy for would-be threat actors to use, according to a report by Trend Micro released Monday.
Primarily, the campaign has targeted healthcare and government organizations in Germany and Canada, "demonstrating selective victimology and a structured, evasive delivery framework rather than simple mass malware distribution," noted Trend Micro threat researchers Mohamed Fahmy, Allixon Kristoffer Francisco, and Jonna Santos in the post. Organizations in the US and Australia were also targeted.
For initial access, attackers rely on phishing emails that lure victims via a sense of urgency into downloading a malicious executable tailored to the victim's local language. This targeted delivery bolsters their authenticity and, thus ,the opportunity for success, according to the researchers.
Related:C2 Implant 'SnappyClient' Targets Crypto Wallets
Victims of the attack believe they are receiving a legal notice informing them of copyright violations; instead, the victims manually execute what looks like a PDF file that begins execution of PureLog via a multistage, in-memory process that uses more than one loader and features a series of evasive maneuvers — including a bypass for Windows Defender's Antimalware Scan Interface (AMSI), anti-virtual machine techniques, and heavy obfuscation.
"The campaign uses a combination of social engineering, staged payload delivery, and in-memory execution to evade both detection and forensic analysis," the researchers noted.
Phishing Attack Designed for Evasion
The attack has been designed from start to finish with particular focus on evading detection by a user or security researchers. Opening the attachment or clicking on the link leads to a compressed archive containing what looks like a benign document, typically a PDF file, as well as supporting files required for execution and a renamed legitimate tool, such as WinRAR, that's used to extract and launch components.The execution change features a two-stage loader process, with the first one, which is Python-based, initiating the infection chain with an environmental check for sandbox or virtual machine detection. Further decryption of payload components then occurs in the form of two successive .NET loaders, which also serve to obfuscate execution flow and delay full exposure to the payload, according to Trend Micro.
Related:Nation-State Actor Embraces AI Malware Assembly Line
"The Python‑based loader and dual .NET loaders introduce redundancy and fileless execution pathways, ensuring that the final PureLog Stealer payload is launched reliably and without leaving artifacts on disk," the researchers wrote.
PureLog as Final Payload
The malware then retrieves decryption keys from a remote server at runtime as a further evasion tactic, ensuring that the payloads remain encrypted while not in execution mode and preventing security analysts from extracting the final malware without live execution.This sets up the final deployment of the PureLog payload, which is executed directly in memory — again, leaving scarcely an artifact trail — and bypassing many traditional defenses, the researchers noted. Throughout the entire process, the malware uses AMSI bypass techniques, heavy code obfuscation, and anti-VM and -analysis checks as part of its evasive maneuvers.
Once activated, the PureLog infostealer establishes persistence via registry modifications, captures screenshots, profiles the system, and harvests sensitive data, including Chrome browser credentials, extensions, cryptocurrency wallets, and system information.
Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRL
Given its stealthy execution and layered delivery, successful compromise of a targeted system can result in credential theft, account takeover, and downstream intrusion activity, the researchers said.
Defend Early and Often
With phishing campaigns getting more complex through targeted social engineering and sophisticated evasion tactics — amid a heated geopolitical environment and an ongoing war — it is more important than ever, especially for organizations in critical industries, to remain highly vigiliante for any type of attack.Trend Micro said the evasion and obfuscation measures of the PureLog campaign, along with the in-memory execution of the malware, emphasize the importance of behavioral detection, network telemetry, and proactive threat hunting. "Overall, this activity reflects a shift away from broad, opportunistic malware distribution toward more selective targeting, with observed victims in government, healthcare, education, and hospitality sectors across multiple countries," the researchers wrote.
To avoid compromise, organizations can set filters to flag or sandbox messages with legal threats and attachments, as well as train users to view any unexpected legal or financial claims that turn up in their inboxes as high risk.
Further down the attack chain, defenders can restrict script and loader execution by disabling or controling tightly unauthorized Python execution on endpoints; using application allowlisting to approve only certain scripts or binaries; and monitoring for suspicious use of legitimate tools. Finally, to detect the campaign's in-memory execution and fileless activity, organizations should deploy EDR/XDR with memory scanning and behavioral detection.