PureLogs
PureLogs is a .NET-based information stealer in the Pure family of malware products developed by PureCoder and sold as a commercial malware-as-a-service tool on underground forums. It is used as a final-stage payload in multiple phishing- and loader-driven intrusion chains and has also been observed delivered via malicious software packages and extensions. Reported delivery mechanisms include purchase-order-, invoice-, payment-, and debt-themed phishing emails carrying RAR or TXZ archives; JavaScript and PowerShell-based fileless chains; the PawsRunner steganography loader; ClickFix-style PowerShell execution from the spoofed site canndelta.com; malicious Cursor AI/Open VSX and Visual Studio Code extensions targeting blockchain developers; and broader campaigns involving loaders such as PureCrypter, PowerLoader, VMDetector, and Donut shellcode. Associated activity includes campaigns attributed to Fluffy Wolf, use by the threat actor Alibaba2044 against Italian users, and deployment alongside malware such as PureRAT, Pay2Key, Vidar, Quasar, Violet RAT, VenomRAT, AsyncRAT, and PureHVNC.
Across the reporting, PureLogs is consistently described as harvesting sensitive data from browsers, email clients, cryptocurrency wallets, password managers, Discord, FTP clients, VPN clients, and other applications. Specifically mentioned data types include saved credentials, cookies, session tokens, browsing history, autofill data, clipboard contents, screenshots, hardware and OS profiling data, antivirus/security software details, Windows secrets, Discord tokens and metadata, FileZilla data, Outlook/Foxmail/MailBird/MailMaster/Thunderbird data, and wallet data from applications such as Bitcoin Core, Electrum, Exodus, Atomic Wallet, Guarda, Monero, Litecoin Core, Dash Core, Dogecoin Core, Binance, Daedalus, and MyCrypto. Some reporting also states it targets more than 100 cryptocurrency wallet browser extensions, communication apps including Telegram and Signal, and password managers including Bitwarden, LastPass, and 1Password.
Observed execution and evasion techniques include fileless PowerShell execution, in-memory .NET assembly loading, process hollowing into legitimate Windows processes such as MsBuild.exe, injection into trusted processes including RegAsm.exe, InstallUtil.exe, and MSBuild.exe, layered obfuscation, Base64/XOR/DES/AES/3DES decryption, GZip decompression, use of .NET Reactor and IntelliLock protection, steganographic payload retrieval from PNG images, ETW bypass, and anti-analysis checks in some variants. Some PureLogs builds operate as plugin-based stagers that establish encrypted raw TCP C2 and load operator-supplied .NET plugins in memory, while other builds are monolithic stealers with built-in credential and wallet theft capabilities.
Command-and-control and exfiltration behavior varies by campaign. Reported variants use TCP-based or HTTPS/TLS-based C2, often with endpoint paths such as /ping, /plugin, /userinfo, /browser, /discord, /crypto, /application, /filesearch/req, /filesearch/res, and /finish. Reporting notes that some operators separate categories of stolen data across different URLs. High-confidence indicators directly mentioned in the content include canndelta.com; 158.94.208.104 hosting /x7GkP2mQ9zL4/my_new_l.bin and /x7GkP2mQ9zL4/my_s.bin; IPs 178.16.52.232 and 158.94.208.92; C2 77.83.39.211:8443 with the listed endpoint paths; URL https://everycarebd.com/imagelkjh0987.png; IP 5.101.84.202; C2 host ydspwie.duckdns.org:9045; and relay.lmfao[.]su / 144.172.112[.]84 in the blockchain-developer compromise. Detection names mentioned include Kaspersky HEUR:Trojan-PSW.MSIL.PureLogs.gen and FortiGuard signatures such as JS/PureLogs.JAE!tr, PowerShell/PureLogs.DUQ!tr, MSIL/PureLogs.C702!tr, MSIL/PureLogs.YBT!tr, and MSIL/PureLogs.0EDE!tr.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These scripts systematically deploy the final payloads, which include the notorious Pay2Key ransomware, the PureLogs information stealer, and the PureRAT trojan.
Cyble Research and Intelligence Labs analyzes a spam campaign dropping PureLogs stealer aimed at Italian users... This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022.
Cyble Research and Intelligence Labs analyzes a spam campaign dropping PureLogs stealer aimed at Italian users... This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
Attacks that leverage malicious open-source packages are becoming a major and growing threat... We analyzed the code of every version of this extension and confirmed that it was a fake... All it does is download and execute malicious code from the aforementioned web server.
Security researchers have uncovered a series of highly sophisticated Fluffy Wolf phishing attacks targeting Russian organizations across various critical sectors.
The infection chain begins with targeted social engineering messages sent directly to company personnel. Threat actors carefully disguise these malicious emails as urgent corporate purchase orders. For instance, the message instructs recipients to open a compressed file named PO 2026-P0803.rar to check an invoice.
Execution
5 techniques
Execution
If the victim extracts the archive, they find a script component called kpankocrs.js... Subsequently, the script launches an active PowerShell process with an execution policy bypass flag to run the code silently.
This screenshot clearly shows the code requesting and executing a PowerShell script from the web server angelic[.]su... when the malicious plugin was activated, it downloaded a PowerShell script from https://angelic[.]su/files/1.txt.
Further analysis revealed that the attackers used ScreenConnect to upload three VBScripts to the compromised machine: Each of these downloaded a PowerShell script from the text-sharing service paste.ee.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
To hide its footprint, the delivery pipeline utilizes multiple advanced encryption layers and fileless components... This dynamic tool relies on commercial runtime packing software to prevent static analysis by defensive teams.
To remain hidden, the threat actors inject these payloads into trusted Windows processes such as RegAsm.exe, InstallUtil.exe, and MSBuild.exe.
The fileless script uses a custom wrapper block to run process hollowing against a trusted system file. Specifically, the code targets the native utility MsBuild.exe located within the Microsoft .NET Framework folders.
Specifically, the code targets the native utility MsBuild.exe located within the Microsoft .NET Framework folders.
Credential Access
4 techniques
Credential Access
Similarly, the malware interrogates specific system directories to capture authentication tokens from messaging applications. It targets multiple Discord releases to perform unauthorized account takeovers without requiring passwords.
Once executed, PureLogs steals browser credentials, Windows secrets, cryptocurrency wallet data, password manager information, and session tokens.
Discovery
2 techniques
Discovery
Collection
4 techniques
Collection
Command and Control
3 techniques
Command and Control
Both implants communicated with the C2 server 144.172.112[.]84, which resolved to relay.lmfao[.]su at the time of our analysis.
IOCs tracked for this family
95 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
44 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information stealer that harvests browser credentials, search histories, and application data, with stolen data categorized and routed to dedicated server endpoints.
Information-stealing malware delivered via malicious PowerShell in a ClickFix campaign. It uses fileless execution, Donut shellcode, RWX memory allocation, and in-memory .NET assembly loading to evade detection, then steals browser credentials, Windows secrets, cryptocurrency wallet data, password manager information, and session tokens. It also uses TCP-based C2 to exfiltrate stolen data and receive attacker-controlled configurations.
A multi-stage, fileless information stealer delivered via phishing emails disguised as purchase orders. It uses JavaScript, PowerShell, in-memory .NET modules, process hollowing into MsBuild.exe, encrypted C2 communications, and an obfuscated DLL payload to steal screenshots, hardware details, clipboard data, browser credentials and cookies, Discord tokens, cryptocurrency wallet data, email client data, and FileZilla data.
PureLogs is a .NET-based infostealer delivered via phishing emails with obfuscated JavaScript and PowerShell stages. This variant uses process hollowing into MsBuild.exe, in-memory loading of an encrypted .NET module, and commercial obfuscation to evade detection while stealing browser credentials, cookies, autofill data, cryptocurrency wallet data, email client data, FTP credentials, and VPN-related information, then exfiltrating it over encrypted HTTPS.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.