PURELOGS Payload Hidden in Weaponized PNG Images Used in Stealth Attacks

A sophisticated PURELOGS infostealer campaign that weaponizes PNG image files to evade detection.The attack begins with a phishing email disguised as a pharmaceutical invoice containing a ZIP archive with a JScript (.js) file.

Unlike browser-based JavaScript, this Windows Script Host file executes with full operating system privileges through the Windows scripting engine, granting direct access to COM objects for system manipulation.

Once decoded, the script launches a hidden PowerShell process using Windows Management Instrumentation (WMI) and executes a Base64-encoded payload in memory with Invoke-Expression.

Louis Schürmann, a security analyst at the organization, documented a four-stage attack chain that leverages legitimate infrastructure, fileless execution, and polyglot file techniques to deliver the commodity malware while bypassing traditional security controls.

This fileless execution technique ensures no malicious files are written to disk, allowing the malware to bypass file-based antivirus detection.

PNG Polyglot Hides Payload on Archive.org

The PowerShell script downloads what appears to be a standard PNG image from archive.org, a trusted and legitimate website.

This infrastructure choice is deliberate network traffic to well-known platforms rarely triggers security alerts, providing adequate cover for malicious activity.

The PNG file is actually a polyglot, a file that remains valid in multiple formats. The attackers embedded a Base64-encoded payload after the IEND chunk, which marks the official end of PNG image data.

The file renders normally in image viewers, but the malware sits between custom markers labeled “BaseStart-” and “-BaseEnd.”

Using regex pattern matching, the PowerShell script extracts the payload between these markers and downloads it as a string with DownloadString() rather than DownloadFile(). This ensures the malicious content never touches the disk.

After Base64 decoding, the script loads the payload directly into memory using .NET Reflection, bypassing signature-based detection entirely.

The next stage is a .NET assembly called VMDetectLoader, which performs environment checks and injects the final payload.

In this campaign, the loader includes virtual machine detection to terminate if running in a sandbox, a common automated analysis environment. The loader targets CasPol.exe, a legitimate Microsoft .NET Framework utility, for process injection.

VMDetectLoader employs a RunPE (process hollowing) technique, launching CasPol.exe in a suspended state, removing its original code from memory, and replacing it with the decoded payload.

The JScript dropper appears obfuscated with non-ASCII characters that break static analysis tools.

From the operating system’s perspective, CasPol.exe is running normally, allowing the malware to masquerade as a trusted Microsoft process.

PURELOGS Stealer Targets Credentials

After four deobfuscation layers, the PURELOGS infostealer executes within the hollowed CasPol.exe process.

PURELOGS is a Malware-as-a-Service (MaaS) commodity sold for approximately $150 monthly by a developer known as PureCoder.

The stealer targets Chromium-based browsers, cryptocurrency wallets, email clients, FTP applications, and messaging platforms.

The malware decrypts Windows Data Protection API (DPAPI) protected browser credentials, harvests session cookies, autofill data, and credit card information.

For cryptocurrency theft, PURELOGS targets over 30 desktop wallet applications and 70+ browser-based Web3 wallet extensions, including MetaMask, Phantom, and Trust Wallet.

IOC’s

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.