Attackers Hide Infostealer in Copyright Infringement Notices

CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE ENDPOINT SECURITY NEWS Attackers Hide Infostealer in Copyright Infringement Notices A phishing campaign targeting healthcare, government, hospitality, and education sectors in various countries uses several evasion techniques to avoid detection. Elizabeth Montalbano,Contributing Writer March 23, 2026 4 Min Read SOURCE: WAVEBREAKMEDIA LTD VIA ALAMY STOCK PHOTO Attackers are using copyright-infringement notices to target multiple industry sectors in a fileless phishing campaign that delivers data-stealing malware. The attack — aimed at organizations in critical sectors, including healthcare, government, hospitality, and education — attempts to install PureLog Stealer, a low-cost infostealer considered easy for would-be threat actors to use, according to a report by Trend Micro released Monday. Primarily, the campaign has targeted healthcare and government organizations in Germany and Canada, "demonstrating selective victimology and a structured, evasive delivery framework rather than simple mass malware distribution," noted Trend Micro threat researchers Mohamed Fahmy, Allixon Kristoffer Francisco, and Jonna Santos in the post. Organizations in the US and Australia were also targeted. For initial access, attackers rely on phishing emails that lure victims via a sense of urgency into downloading a malicious executable tailored to the victim's local language. This targeted delivery bolsters their authenticity and, thus ,the opportunity for success, according to the researchers.  Related:C2 Implant 'SnappyClient' Targets Crypto Wallets Victims of the attack believe they are receiving a legal notice informing them of copyright violations; instead, the victims manually execute what looks like a PDF file that begins execution of PureLog via a multistage, in-memory process that uses more than one loader and features a series of evasive maneuvers — including a bypass for Windows Defender's Antimalware Scan Interface (AMSI), anti-virtual machine techniques, and heavy obfuscation. "The campaign uses a combination of social engineering, staged payload delivery, and in-memory execution to evade both detection and forensic analysis," the researchers noted. Phishing Attack Designed for Evasion The attack has been designed from start to finish with particular focus on evading detection by a user or security researchers. Opening the attachment or clicking on the link leads to a compressed archive containing what looks like a benign document, typically a PDF file, as well as supporting files required for execution and a renamed legitimate tool, such as WinRAR, that's used to extract and launch components. The execution change features a two-stage loader process, with the first one, which is Python-based, initiating the infection chain with an environmental check for sandbox or virtual machine detection. Further decryption of payload components then occurs in the form of two successive .NET loaders, which also serve to obfuscate execution flow and delay full exposure to the payload, according to Trend Micro. Related:Nation-State Actor Embraces AI Malware Assembly Line "The Python‑based loader and dual .NET loaders introduce redundancy and fileless execution pathways, ensuring that the final PureLog Stealer payload is launched reliably and without leaving artifacts on disk," the researchers wrote. PureLog as Final Payload The malware then retrieves decryption keys from a remote server at runtime as a further evasion tactic, ensuring that the payloads remain encrypted while not in execution mode and preventing security analysts from extracting the final malware without live execution.  This sets up the final deployment of the PureLog payload, which is executed directly in memory — again, leaving scarcely an artifact trail — and bypassing many traditional defenses, the researchers noted. Throughout the entire process, the malware uses AMSI bypass techniques, heavy code obfuscation, and anti-VM and -analysis checks as part of its evasive maneuvers. Once activated, the PureLog infostealer establishes persistence via registry modifications, captures screenshots, profiles the system, and harvests sensitive data, including Chrome browser credentials, extensions, cryptocurrency wallets, and system information. Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRL Given its stealthy execution and layered delivery, successful compromise of a targeted system can result in credential theft, account takeover, and downstream intrusion activity, the researchers said. Defend Early and Often With phishing campaigns getting more complex through targeted social engineering and sophisticated evasion tactics — amid a heated geopolitical environment and an ongoing war — it is more important than ever, especially for organizations in critical industries, to remain highly vigiliante for any type of attack. Trend Micro said the evasion and obfuscation measures of the PureLog campaign, along with the in-memory execution of the malware, emphasize the importance of behavioral detection, network telemetry, and proactive threat hunting. "Overall, this activity reflects a shift away from broad, opportunistic malware distribution toward more selective targeting, with observed victims in government, healthcare, education, and hospitality sectors across multiple countries," the researchers wrote. To avoid compromise, organizations can set filters to flag or sandbox messages with legal threats and attachments, as well as train users to view any unexpected legal or financial claims that turn up in their inboxes as high risk. Further down the attack chain, defenders can restrict script and loader execution by disabling or controling tightly unauthorized Python execution on endpoints; using application allowlisting to approve only certain scripts or binaries; and monitoring for suspicious use of legitimate tools. Finally, to detect the campaign's in-memory execution and fileless activity, organizations should deploy EDR/XDR with memory scanning and behavioral detection. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES Attackers Use 'Spam Bombing' to Hide Malicious Motives by Alexander Culafi, Senior News Writer, Dark Reading APR 10, 2025 CYBERATTACKS & DATA BREACHES Oracle Appears to Admit Breach of 2 'Obsolete' Servers by Jai Vijayan, Contributing Writer APR 09, 2025 CYBERATTACKS & DATA BREACHES Malaysian Airport's Cyber Disruption a Warning for Asia by Robert Lemos, Contributing Writer APR 02, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity 5 Steps to Stop Ransomware With Zero Trust Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE