ATTACKERS hide an infostealer within copyright infringement notices as part of a phishing campaign that targets healthcare, government, hospitality, and education sectors across multiple countries. The operation, which aims to install PureLog Stealer, has primarily targeted healthcare and government organisations in Germany and Canada, with victims in the US and Australia also noted, according to Trend Micro.
Initial access relies on phishing emails that lure victims into downloading a malicious executable tailored to the recipient’s local language, and the in-memory, fileless delivery uses a two-stage loader process to evade detection, including Python-based loaders and dual .NET loaders.
The final payload is deployed in memory, bypassing many traditional defenses, and the malware then exfiltrates data such as credentials and system information, with AMSI bypass techniques, heavy obfuscation, and anti‑VM checks described by the researchers. Organisations are urged to flag and sandbox messages that claim legal obligations or copyright concerns and to deploy memory-scanning EDR/XDR to detect the campaign’s in‑memory activity.