PureLogs
PureLogs is a .NET-based information stealer in the Pure family of malware products developed by PureCoder and sold as part of the PureCoder malware-as-a-service ecosystem. Reporting in the provided content describes both monolithic and plugin-based PureLogs variants, including a version identified as 5.0.0. PureLogs has been delivered through multiple phishing and ClickFix campaigns, including purchase-order, invoice, payments, and licensing-themed lures, as well as through multi-stage intrusion chains using loaders such as PureCrypter, PawsRunner, PowerLoader, Donut-based shellcode chains, malicious JavaScript, PowerShell, and process hollowing into MsBuild.exe. The malware is repeatedly described as executing filelessly or largely in memory, using layered obfuscation and protection including ConfuserEx, .NET Reactor, IntelliLock, AES, DES, TripleDES/3DES, GZip compression, protobuf serialization, and reflection-based assembly loading.
Across the cited campaigns, PureLogs profiles the victim environment and steals a broad range of data from Windows systems. High-confidence capabilities mentioned in the content include theft of browser credentials, cookies, session tokens, browsing history, autofill data, Windows secrets, screenshots, clipboard contents, hardware and OS details, installed security software information, Discord tokens and metadata, cryptocurrency wallet files and keys, password manager data, email client data, FTP client data, VPN client credentials, and data from applications such as Outlook, Thunderbird, Foxmail, MailBird, MailMaster, FileZilla, Pidgin, OpenVPN, ProtonVPN, DownloadManager, Steam, WinSCP, OBS Studio, Telegram, and Signal. Some reporting also states that PureLogs targets more than 80 browsers, more than 100 cryptocurrency wallet extensions and desktop wallets, and numerous browser extensions including crypto wallets, password managers, and authenticators.
The malware communicates with command-and-control infrastructure over TCP or HTTPS/TLS, depending on the variant, and exfiltrates encrypted and often GZip-compressed data to multiple endpoints. Reported PureLogs-related endpoints include /ping, /plugin, /userinfo, /browser, /discord, /crypto, /application, /filesearch/req, /filesearch/res, and /finish. The content associates PureLogs with several threat clusters and campaigns, including phishing activity analyzed by FortiGuard Labs, ClickFix delivery chains, the Fluffy Wolf campaign targeting Russian companies in construction, consulting, engineering, retail, e-commerce, and industrial sectors, and the SERPENTINE#CLOUD intrusion set where PureLogs appeared alongside PureCrypter, Violet RAT, PureHVNC, Remcos, and other commodity malware. The content also notes use by threat actor Alibaba2044 in an Italian-targeted spam campaign.
High-confidence indicators of compromise directly mentioned in the content include domains and infrastructure such as canndelta.com, 77.83.39.211:8443, 5.101.84.202, everycarebd.com/imagelkjh0987.png, ydspwie.duckdns.org:9045, and nhvncpure-related infrastructure shared with other PureCoder tools. Reported filenames and artifacts include kpankocrs.js, zgSGkYYzqVe.dll, Iwnflr.exe, Rmiyj.dll, Mvfsxog.dll, Qdjlj.dll, and Fviwknzr.exe. Additional IOCs listed in the content include URLs hosted on 158.94.208.104, IPs 178.16.52.232 and 158.94.208.92, and numerous SHA-256 hashes such as 3D510977D60A44322F88100B515F06CB5ED83BABC64247068D1A489595FAA6C5, 670384FAFB23140D96F2F8FE04A13FC8CC8E2A6E5E8C973E39B58D103C5FEA92, B90988400CCED319D260C4937F334ECC364785ED5C593CD2139965E62CA58173, E20B35A8C30E076CDD0E1DF05BA1FF2E418DBD39A674F084787CC0AF2FDA9E95, 07CD03E2082BCB0B890CC59CE4C770D1A095AC6F1AE9CF999F5542555C56F841, 8d0bcde739929fe41a6bcaaa62f7cba802af90b2ba8dea6ed1a4821236cdd588, 6910d27b9e1dc2229a8c280f5d0cea85146d50274c56a4d9a5b8d1793505b1b9, 93724f1a9ad3a28c171927fc449ac34dc6ca890f915f00210e8b305577388c6e, 0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e, 1b730de72f921458b6b162b105a9521a931f07e19d3cac53207c7a8efbc412f9, e2308749f6b7b7573009d0cac6616a6aa83cecb1f2933e868776400d122c86ec, 046d0e83c1e6dcaf526127b81b962042e495f5ae3a748f3a9452be62f905acf8, and cdf87d68885caa3e94713ded9dd5e51c39b7bc7ef9bf7d63a4ff5ab917a96b36.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Внутри архивов находились различные загрузчики и дропперы, предназначенные для доставки вредоносов PureLogs, PureRAT и шифровальщика Pay2Key.
Cyble Research and Intelligence Labs analyzes a spam campaign dropping PureLogs stealer aimed at Italian users... This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022.
Cyble Research and Intelligence Labs analyzes a spam campaign dropping PureLogs stealer aimed at Italian users... This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThis research analyzes a ClickFix campaign leveraging the spoofed licensing-themed website canndelta.com to deliver the PureLogs stealer
The infection chain begins with targeted social engineering messages sent directly to company personnel. Threat actors carefully disguise these malicious emails as urgent corporate purchase orders. For instance, the message instructs recipients to open a compressed file named PO 2026-P0803.rar to check an invoice.
...а в других случаях жертве предоставляли ссылку на GitHub-репозиторий, откуда загружался RAR-архив. По словам исследователей, Fluffy Wolf активно использует GitHub, потому что такие ссылки выглядят легитимно и помогают обходить почтовые фильтры...
Execution
4 techniquesIf the victim extracts the archive, they find a script component called kpankocrs.js... Subsequently, the script launches an active PowerShell process with an execution policy bypass flag to run the code silently.
This research analyzes a ClickFix campaign leveraging the spoofed licensing-themed website canndelta.com to deliver the PureLogs stealer through malicious PowerShell commands.
If the victim extracts the archive, they find a script component called kpankocrs.js. When executed, this malicious JavaScript file extracts a secondary encrypted shell file.
Privilege Escalation
2 techniquesThe attack uses Donut shellcode, fileless execution, RWX memory allocation, and in-memory .NET assembly loading to evade detection.
Stealth
6 techniquesTo hide its footprint, the delivery pipeline utilizes multiple advanced encryption layers and fileless components... This dynamic tool relies on commercial runtime packing software to prevent static analysis by defensive teams.
The attack uses Donut shellcode, fileless execution, RWX memory allocation, and in-memory .NET assembly loading to evade detection.
The fileless script uses a custom wrapper block to run process hollowing against a trusted system file. Specifically, the code targets the native utility MsBuild.exe located within the Microsoft .NET Framework folders.
Specifically, the code targets the native utility MsBuild.exe located within the Microsoft .NET Framework folders.
This hidden payload decodes an embedded assembly binary in host memory using an XOR rotation method.
The attack uses Donut shellcode, fileless execution, RWX memory allocation, and in-memory .NET assembly loading to evade detection.
Credential Access
4 techniquesSimilarly, the malware interrogates specific system directories to capture authentication tokens from messaging applications. It targets multiple Discord releases to perform unauthorized account takeovers without requiring passwords.
Once executed, PureLogs steals browser credentials, Windows secrets, cryptocurrency wallet data, password manager information, and session tokens.
Once executed, PureLogs steals browser credentials, Windows secrets, cryptocurrency wallet data, password manager information, and session tokens.
Edge credentials are extracted from the '%LocalAppData%\Microsoft\Edge\User Data\Default\Login Data' file... Targeted web browsers include: Google Chrome... Microsoft Edge... Mozilla Firefox...
Discovery
2 techniquesMoreover, the agent scans local registry keys to harvest private keys from popular cryptocurrency wallets.
First, it takes interactive screenshots and scrapes detailed hardware properties like processor configurations. In addition, the spyware reads local clipboard balances and searches for security software details.
Collection
4 techniquesFinally, it extracts data from email clients and file transfer applications like FileZilla.
In addition, the spyware reads local clipboard balances...
The malware serializes all collected information, compresses it with GZip... After being encrypted... the collected credentials are submitted via an HTTP POST request... it then decompresses (GUNZIP) the decrypted data to restore the original plugin module in memory.
Command and Control
3 techniquesThe malware also establishes TCP-based C2 communication to exfiltrate stolen data and receive attacker-controlled configurations.
To confirm server availability, the system sends a standard network request to a designated URL endpoint. For instance, the downloader invokes an asynchronous web client to ping the controller IP address.
Indicators of Compromise (IOC) List Domain : https://canndelta.com http://158.94.208.104/x7GkP2mQ9zL4/my_new_l.bin http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin
Exfiltration
1 techniqueThe malware also establishes TCP-based C2 communication to exfiltrate stolen data and receive attacker-controlled configurations.
IOCs tracked for this family
92 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
42 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information-stealing malware delivered via malicious PowerShell in a ClickFix campaign. It uses fileless execution, Donut shellcode, RWX memory allocation, and in-memory .NET assembly loading to evade detection, then steals browser credentials, Windows secrets, cryptocurrency wallet data, password manager information, and session tokens. It also uses TCP-based C2 to exfiltrate stolen data and receive attacker-controlled configurations.
A multi-stage, fileless information stealer delivered via phishing emails disguised as purchase orders. It uses JavaScript, PowerShell, in-memory .NET modules, process hollowing into MsBuild.exe, encrypted C2 communications, and an obfuscated DLL payload to steal screenshots, hardware details, clipboard data, browser credentials and cookies, Discord tokens, cryptocurrency wallet data, email client data, and FileZilla data.
PureLogs is a .NET-based infostealer delivered via phishing emails with obfuscated JavaScript and PowerShell stages. This variant uses process hollowing into MsBuild.exe, in-memory loading of an encrypted .NET module, and commercial obfuscation to evade detection while stealing browser credentials, cookies, autofill data, cryptocurrency wallet data, email client data, FTP credentials, and VPN-related information, then exfiltrating it over encrypted HTTPS.
Инфостилер, используемый для кражи учетных данных, файлов cookie, истории браузеров и данных из почтовых клиентов.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.