Copyright-Themed Lures Deliver Multi-Stage PureLog Stealer in Credential Theft Campaign

What happened

Trend Micro identified a new malware campaign is using copyright violation-themed phishing lures to deliver the PureLog Stealer, targeting organizations across sectors including healthcare, government, education, and hospitality. Victims are tricked into downloading and executing files disguised as legal notices, which trigger a multi-stage infection chain that ultimately steals sensitive data such as browser credentials, cryptocurrency wallet information, and system details. The campaign relies entirely on social engineering rather than software vulnerabilities, using localized, language-specific lures to increase success rates. Once executed, the malware deploys encrypted payloads, retrieves decryption keys remotely, and runs entirely in memory using Python and .NET loaders, making detection significantly harder. 

Who is affected

Organizations across multiple industries globally are affected, particularly those in Germany, Canada, the United States, and Australia, where localized phishing lures have been observed. 

Why CISOs should care

The campaign demonstrates how attackers are combining targeted phishing with fileless malware execution to bypass traditional defenses, allowing credential theft and data exfiltration without relying on exploitable software flaws. 

3 practical actions

1. Train users on legal-themed phishing lures. Copyright and compliance-related emails are being used to trigger urgency and trust. 
2. Monitor for fileless execution techniques. Detect abnormal Python or .NET processes running without corresponding files on disk. 
3. Inspect outbound connections to unknown domains. The malware communicates with attacker-controlled infrastructure for payload delivery and data exfiltration. 

For more coverage of social engineering campaigns and email-based threats, explore our reporting on Phishing.