FortiGuard Labs Analysis: PureLogs Infostealer Delivered via PawsRunner Steganography Campaign
5d ago· 10 min readenInsight
100/100
Golden Brown
Bagelometer↗
Front-window bakery material. Catches the eye, delivers the goods.
Score100TypeanalysisSentimentnegative
Summary
FortiGuard Labs analyzes a malware campaign using steganography to deliver the PureLogs infostealer. The attack begins with a phishing email containing an HTML attachment that, when opened, executes JavaScript to download a malicious .NET binary (PawsRunner). PawsRunner uses steganography to extract a hidden payload from a PNG image hosted on ImgBB, ultimately deploying PureLogs — an information stealer that targets browser credentials, cryptocurrency wallets, and other sensitive data. The article details the technical infection chain, obfuscation techniques, and detection strategies.
Key quotes
· 3 pulledThis blog outlines the malware's delivery vector and provides a technical analysis of PawsRunner and the subsequent deployment of an evolved PureLogs payload.
The functions declare a large number of Process environment variables containing garbled text. It then launches conhos
Figure 1: Attack flow
FortiGuard Labs has analyzed a steganography-based malware campaign that uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods and detection strategies.…
