PureLogs Infostealer Campaign Targets Users via Phishing with Cat Photos
Severity: Medium (Score: 51.9)
Sources: Feeds2.Feedburner, Gbhackers
Published: · Updated:
Keywords: purelogs, infostealer, phishing, campaign, hiding, inside, stealing
Severity indicators: stealer, infostealer, credentials
Summary
A new phishing campaign is distributing the PureLogs infostealer, which targets Windows machines. The attack begins with an email containing a TXZ archive disguised as an urgent invoice, compelling victims to open it quickly. Once extracted, the archive reveals a JavaScript file that executes malicious commands. This tactic of hiding malware in seemingly harmless files is becoming increasingly common among threat actors. The campaign has been confirmed by Fortinet researchers, indicating a widespread impact on users globally. Specific numbers on affected users or systems were not disclosed in the articles. The attack exploits social engineering to increase the likelihood of user interaction with the malicious payload. The current status of the campaign remains active as of May 19, 2026. Key Points: • PureLogs infostealer is delivered via phishing emails disguised as invoices. • Malicious payloads are hidden in TXZ archives containing JavaScript files. • The attack exploits social engineering tactics to pressure victims into opening the files.
Detailed Analysis
**Impact** The campaign targets Windows users globally through phishing emails disguised as urgent invoices. The PureLogs infostealer aims to harvest credentials and sensitive information, potentially compromising personal and corporate accounts. No specific sectors or geographic concentrations were detailed in the reports. **Technical Details** The attack vector is phishing emails containing a TXZ archive attachment that, once extracted, reveals a JavaScript loader named PawsRunner. This loader decrypts and executes the PureLogs infostealer, which stores malicious commands in process environment variables. The malware is concealed within cat photos as encrypted payloads. No CVEs or specific infrastructure details were provided. **Recommended Response** Defenders should prioritize blocking emails containing TXZ attachments and monitor for unusual use of process environment variables. Deploy detections for the PawsRunner loader and PureLogs infostealer behaviors. User awareness training on phishing, especially regarding invoice-themed lures, is advised. No patching information is available; monitoring for related indicators of compromise is recommended.
Source articles (2)
- PureLogs infostealer is stealing credentials worldwide — Feeds2.Feedburner · 2026-05-19
A phishing campaign is smuggling the powerful PureLogs information stealer onto targets’ Windows machines by hiding encrypted malicious payloads inside cat photos, Fortinet researchers discovered. The… - Hackers Hide PureLogs Infostealer in PawsRunner Loader — Gbhackers · 2026-05-18
Threat actors are increasingly hiding malware inside seemingly harmless files, and a new campaign shows just how effective this tactic has become. The attack begins with a phishing email carrying a TX…
Timeline
- 2026-05-18 — Phishing campaign identified: Fortinet researchers discovered a new phishing campaign distributing PureLogs infostealer via TXZ archives.
- 2026-05-19 — PureLogs infostealer details published: HelpNet Security reported on the PureLogs infostealer campaign, confirming its global reach and use of cat photos for delivery.
Related entities
- Malware (Attack Type)
- Phishing (Attack Type)
- Purelogs (Malware)
- PureLogs Infostealer (Malware)
- T1566.001 - Spearphishing Attachment (Mitre Attack)
- Windows (Platform)