A new malware campaign is using deceptive copyright infringement notices to distribute PureLog Stealer, targeting organizations across multiple sectors and countries. The malware operates primarily in memory and employs evasion techniques such as DLL sideloading to bypass traditional security controls. Read this Cybersecurity Threat Advisory to protect you and your clients’ environments.
What is the threat?
This campaign delivers an information‑stealing malware through a sophisticated, multi‑stage infection chain designed to mimic legitimate system activity. Attackers use a Python‑based loader to decrypt and execute the final PureLog Stealer payload.
Key elements of the attack chain include:
- DLL sideloading to load malicious code alongside trusted applications
- A renamed WinRAR utility to extract malicious content
- A decoy PDF to reinforce the phishing lure
Victims are typically targeted through phishing emails containing malicious download links. Payloads are disguised as PDFs, while decryption keys are retrieved remotely—allowing attackers to control when execution occurs. By running the stealer directly in memory and leaving minimal disk artifacts, the malware becomes significantly harder for traditional security tools to detect.
Why is it noteworthy?
Unlike indiscriminate mass malware, this campaign targets specific sectors such as government and healthcare, increasing its potential impact. The use of encrypted payloads, remote key retrieval, and in‑memory execution enables attackers to remain stealthy throughout the infection process.
Techniques like DLL sideloading and registry‑based persistence allow the malware to evade detection while maintaining long‑term access. Because little to no malicious content is written to disk, traditional antivirus solutions may fail to identify or analyze the threat effectively.
What is the exposure or risk?
Organizations are at risk if endpoints:
- Interact with phishing emails containing external download links
- Execute disguised archives or non‑standard extraction tools
- Allow memory‑resident payloads with minimal logging or controls
A successful compromise can result in credential theft, data exfiltration, and reconnaissance of installed security tools. The use of remote decryption keys and command‑and‑control infrastructure gives attackers precise control over payload delivery, complicating detection and response. These factors increase the risk of prolonged data exposure and operational disruption, particularly in high‑sensitivity environments. As a result, memory‑focused detection, behavioral analytics, and network telemetry are critical for timely identification and mitigation.
What are the recommendations?
Barracuda strongly recommends taking the following actions to mitigate risk:
- Block known indicators of compromise, including associated file hashes, domains, and IP addresses.
- Educate staff to recognize phishing emails, particularly those claiming copyright violations or legal action.
- Ensure EDR is deployed and actively monitoring memory usage and process behavior, as the malware operates in a fileless manner.
- Monitor for abnormal registry activity, AMSI bypass attempts, and trusted tools (such as WinRAR) running from unexpected locations.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.