FortiGuard Labs is tracking a phishing campaign that uses PawsRunner, a steganography-based loader, to deliver the PureLogs infostealer. The campaign is not just another commodity stealer story. It shows how malware operators are making delivery chains harder to inspect by hiding executable payloads inside otherwise ordinary-looking files.
The reported chain starts with an invoice-themed phishing email containing a TXZ archive. Once opened, embedded JavaScript sets large numbers of process environment variables, launches hidden execution, and uses PowerShell to decode, decrypt, decompress, and load .NET payloads in memory. From there, PawsRunner retrieves the next stage through multiple network APIs and can process HTML, Base64 data, or PNG files that contain hidden encrypted payloads.
That matters because many small and mid-sized organizations still tune detection around obvious downloads, suspicious attachments, or known executable formats. PawsRunner pushes defenders into a messier problem: a “legitimate-file-plus-hidden-data” model where an image request may be part of the malware delivery chain.
Why this matters for SMBs and government contractors
PureLogs is built to steal data that directly supports follow-on compromise. FortiGuard describes harvesting across browsers, browser extensions, Discord data, files, and system information. For a small business or government contractor, that means the first compromised workstation can quickly become an identity incident, a cloud access problem, or a client-data exposure.
This is especially relevant for organizations that rely heavily on browser-based operations: Microsoft 365, Google Workspace, cloud consoles, banking portals, payroll systems, CRM platforms, and contractor portals. If browser sessions, saved passwords, cookies, or extension data are taken, the breach may not stop at the infected endpoint.
Defensive takeaways
- Treat invoice archives as high risk. Block or sandbox uncommon compressed formats like TXZ/TAR/XZ when they arrive through email from outside the organization.
- Watch for environment-variable abuse. Large numbers of newly created process environment variables tied to script execution should stand out in endpoint telemetry.
- Alert on hidden PowerShell and conhost behavior. PowerShell with hidden windows, encoded/decrypted payload handling, or reflection-based .NET loading deserves immediate review.
- Inspect image-based payload delivery. PNG downloads from unusual hosts, especially followed by in-memory .NET execution, should be correlated rather than treated as benign web noise.
- Harden browser credential exposure. Disable unmanaged password storage where possible, enforce phishing-resistant MFA for sensitive systems, and monitor for abnormal session reuse.
- Scope beyond the machine. If a stealer is confirmed, rotate credentials, invalidate sessions, review OAuth/app tokens, and check cloud audit logs before declaring containment.
Bulwark Black assessment
The practical lesson is that infostealer response has to be identity-centric, not just endpoint-centric. Removing the malware is necessary, but it is not enough if the attacker already collected browser sessions, credentials, extension data, and system context. For SMBs and government contractors, the incident response playbook should assume that a stealer infection may lead to SaaS compromise, vendor portal abuse, fraudulent payments, or data extortion.
PawsRunner also reinforces a broader trend: loaders are becoming more evasive, more modular, and more comfortable hiding inside normal-looking content. Defenders should focus less on a single file extension or hash and more on behavior across the chain: archive execution, script staging, hidden PowerShell, image retrieval, in-memory loading, and outbound C2.
Source: FortiGuard Labs — PureLogs: Delivery via PawsRunner Steganography.
