{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/purelogs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PureLogs"],"_cs_severities":["medium"],"_cs_tags":["steganography","infostealer","malware"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFortiGuard Labs has identified a new malware campaign in May 2026 employing steganography to deliver the PureLogs infostealer. This campaign leverages PawsRunner, a tool likely used to facilitate the execution or delivery of the payload embedded within the steganographic image. The use of steganography allows attackers to conceal malicious code within seemingly benign image files, evading traditional signature-based detection methods. This shift in delivery mechanism requires defenders to adapt and implement more sophisticated detection strategies focused on identifying anomalous behavior related to image processing and execution of hidden payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with the victim receiving a seemingly harmless image file, potentially through email or a compromised website.\u003c/li\u003e\n\u003cli\u003eThe image file contains a hidden PureLogs infostealer payload embedded using steganographic techniques.\u003c/li\u003e\n\u003cli\u003ePawsRunner, a tool not fully detailed in the source, is employed to extract and execute the concealed PureLogs payload from the image.\u003c/li\u003e\n\u003cli\u003ePureLogs, once executed, begins collecting sensitive information from the compromised system.\u003c/li\u003e\n\u003cli\u003eThe infostealer gathers credentials, browser data, cookies, and other sensitive information.\u003c/li\u003e\n\u003cli\u003ePureLogs establishes a connection to a command-and-control (C2) server to exfiltrate the stolen data.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the exfiltrated data, enabling them to perform further malicious activities such as account compromise, identity theft, or financial fraud.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leads to the compromise of sensitive user data, including credentials, browsing history, and potentially financial information. The number of victims and specific sectors targeted are not detailed in the source. However, the deployment of an infostealer like PureLogs can result in significant financial losses, reputational damage, and potential legal liabilities for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement anomaly detection on image processing to identify unusual activities like execution of code from image files (refer to the Sigma rule detecting process creation from unusual image paths).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to known command-and-control (C2) infrastructure associated with PureLogs if additional IOCs become available.\u003c/li\u003e\n\u003cli\u003eImplement and tune the provided Sigma rule to detect the execution of PawsRunner, which is used to extract and execute the concealed PureLogs payload.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T16:02:26Z","date_published":"2026-05-15T16:02:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-purelogs-pawsrunner/","summary":"A steganography-based malware campaign uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods.","title":"PureLogs Infostealer Delivered via PawsRunner Steganography","url":"https://feed.craftedsignal.io/briefs/2026-05-purelogs-pawsrunner/"}],"language":"en","title":"CraftedSignal Threat Feed — PureLogs","version":"https://jsonfeed.org/version/1.1"}