30 May 2026 Malware

PureLogs Infostealer Hides Malware Inside Cat Photos to Steal Australian Passwords

A new phishing campaign is using a steganography loader called PawsRunner to smuggle the PureLogs infostealer inside PNG images — including cat photos. Fortinet researchers published their technical analysis in May 2026 confirming that Australian organisations are among the campaign's targets. PureLogs is designed to harvest browser-saved passwords, session cookies, cryptocurrency wallet credentials, and authentication tokens. If your team or household relies on saved passwords in Chrome, Edge, or Firefox, this campaign is a direct threat.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What Is the PureLogs PawsRunner Campaign?

The PureLogs infostealer has been sold on underground forums since 2022 by a developer known as PureCoder. What makes the May 2026 campaign distinctive is its delivery mechanism: a multi-stage loader called PawsRunner that uses steganography to conceal an encrypted malicious payload inside ordinary PNG images.

Fortinet's FortiGuard Labs published a detailed technical breakdown on 19 May 2026. The campaign begins with a phishing email carrying a TXZ archive and an invoice-themed lure designed to pressure recipients into opening it quickly. This is a deliberate social engineering choice — urgency triggers faster, less considered responses than a calm, routine message would.

Inside the archive is a JavaScript file. When executed, it stores malicious commands in process environment variables and launches a hidden PowerShell session. That session decodes, decrypts, and decompresses a .NET assembly: PawsRunner.

PawsRunner's job is to fetch a seemingly benign PNG image from a remote server — in at least one campaign variant, the image was retrieved from Internet Archive (archive.org), a legitimate content-delivery platform that most corporate firewalls will not block. The loader decrypts a download URL using RC4 encryption, retrieves the image, then extracts the PureLogs payload hidden within the image's pixel data.

The steganography technique is effective precisely because PNG images traversing a corporate network look completely legitimate. Firewalls and web proxies that flag executables or encrypted blobs routinely pass image files through without scrutiny. By the time the hidden payload is extracted and executed on the target's machine, there is nothing obviously suspicious in the network logs to trigger an alert.

Previous campaign variants, documented by Swiss Post Cybersecurity, used similar image-based concealment — the consistent "cat photo" visual in the loader's application icon is what gave the technique its name in threat-intelligence circles. The consistency of this method across multiple campaign waves suggests a sophisticated, ongoing operation, not a one-off experiment.

Trend Micro has also documented separate PureLogs campaigns using copyright infringement notices as lures — a legal-threat framing that creates urgency through fear of liability. Help Net Security's May 2026 reporting on the campaign confirms the malware is actively being developed and deployed, with new delivery variants appearing as defenders adapt to earlier variants.

Why Australian Organisations Are in the Crosshairs

Australia is explicitly named as a target country in both Fortinet's analysis and independent research from Capstone Technologies Group. Primary targets across all PureLogs campaign waves have included healthcare and government organisations in Germany and Canada, with organisations in the United States and Australia also affected. That makes this campaign relevant to any Australian business operating a Windows environment — which covers the vast majority of Australian SMBs.

The broader infostealer threat to Australia is well documented. A separate analysis by pen-testing firm Dvuln, reported in Infosecurity Magazine, found that more than 30,000 Australian banking credentials had been harvested by infostealer malware from logs collected over several years. Those credentials included records from customers of major Australian banks, and some individual records were being sold on dark web marketplaces for less than five dollars. The Dvuln findings establish that Australia is not on the periphery of infostealer operations — it is an active, profitable target.

The business profile of PureLogs targets is also telling. Capstone Technologies Group's threat intelligence noted the campaign has been used against professional services firms globally. In Australia, professional services — accountants, solicitors, financial advisers, real estate agencies — are high-value credential targets that are, relative to large enterprises, less likely to operate mature endpoint detection and response capabilities. That gap is what makes infostealer campaigns consistently effective in this sector.

The PureLogs payload specifically targets environments where users store credentials in browsers. Chrome, Edge, and Firefox all maintain local password vaults, and PureLogs has the capability to decrypt and exfiltrate those stored credentials. For organisations where staff use the same browser profile across personal and work accounts — common in small businesses — a single compromised machine can yield credentials to business banking, cloud platforms, client portals, and internal systems simultaneously.

The timing of the May 2026 disclosure matters: Fortinet's analysis indicates PawsRunner is still actively being deployed. This is not a historical threat requiring retrospective action — it is an ongoing campaign that Australian organisations and individuals need to address now.

How the Attack Chain Works: From Phishing Email to Stolen Credentials

Understanding how PureLogs reaches a target's machine — and what it does once there — helps organisations identify the most effective points to intervene. The attack has three distinct stages, each designed to evade a different class of security control.

Stage 1: The Phishing Lure

The entry point is a phishing email. The lure is typically invoice-themed, using language designed to create urgency: an overdue payment, a pending order confirmation, a time-sensitive notification that requires the recipient to open the attachment immediately. The archive format is TXZ — a tar archive compressed with XZ — which is less common than ZIP or RAR. Legacy email filtering rules that only scan for .zip or .exe attachments may allow TXZ files through without inspection, particularly on mail gateways that have not been updated to include less common archive formats in their quarantine policies.

Trend Micro has documented separate PureLogs campaigns where the lure is a copyright infringement notice: the recipient is told they have violated a copyright and must open the attached "evidence" or risk legal action. Both lure types share the same goal — override careful decision-making with a sense of urgency or threat.

Stage 2: PawsRunner and the Steganography Decode

Once the JavaScript inside the archive is executed, the loading process begins. The script stores encrypted commands in process environment variables rather than passing them as command-line arguments — a technique used to evade in-memory scanning tools that monitor command-line activity. A hidden PowerShell session then reads those variables, decodes a Base64 blob, decrypts it, and decompresses the .NET assembly that is PawsRunner.

PawsRunner's role is to fetch and decode the final payload. It decrypts a URL using RC4 encryption, makes an outbound HTTPS request to retrieve a PNG image, then applies its steganography-decoding logic to extract the PureLogs executable hidden within the image's pixel data. The PNG is a valid image that visually renders normally — in the Fortinet-documented variant, it displays a cat. From a network monitoring perspective, the observable events are: a PowerShell process and an outbound HTTPS request for an image file. Neither is inherently suspicious without behavioural context.

Stage 3: PureLogs — What It Steals

Once installed, PureLogs targets a broad range of sensitive data. According to Fortinet's analysis, the malware harvests: browser-saved passwords and autofill data from Chromium-based browsers (Chrome, Edge, Brave) and Firefox; session cookies and authentication tokens; cryptocurrency wallet browser extensions including MetaMask, SafePal, and Trust Wallet; and credentials stored in password manager browser extensions including Bitwarden, LastPass, and 1Password.

The inclusion of session cookies is significant. Modern multi-factor authentication (MFA) typically only challenges a user at initial login — subsequent actions within the same session are authorised via a cookie or token. When PureLogs harvests those cookies, the attacker captures authentication that has already passed MFA verification. They can then replay that cookie from a completely different device and location without triggering a new MFA challenge. This is not a theoretical bypass: it is the mechanism behind multiple high-profile account takeovers in 2025 and 2026.

What to Do Right Now: Practical Steps for Australians

The most important immediate action is to stop storing passwords in your browser. Chrome, Edge, and Firefox password managers are convenient, but they store credentials in a format that PureLogs — and many other infostealers — can decrypt on a compromised machine. This is not a theoretical risk; it is the specific attack path that PureLogs is designed to exploit.

Migrating to a dedicated password manager moves your credentials out of the browser's local storage and into an encrypted vault that requires separate authentication. NordPass uses zero-knowledge encryption, meaning your passwords are stored in a form that cannot be read by the service itself, and the local application does not expose credentials through the same surface that PureLogs targets in browser storage. For Australian SMBs whose staff use a mix of personal and work devices, a dedicated password manager also enforces credential hygiene — unique passwords per account — that browser-based storage does not actively encourage.

Beyond the password manager, the following steps address different points in the PureLogs attack chain:

Patch and update browsers immediately. Infostealer campaigns often take advantage of credential-storage implementations in older browser versions. Chrome, Edge, and Firefox push silent updates by default, but users who have disabled auto-update are accepting unnecessary risk. Check that auto-update is active on every machine in your environment.

Deploy endpoint protection with behavioural detection. Signature-based antivirus will not catch PawsRunner reliably. The loader uses living-off-the-land techniques — PowerShell, environment variables, .NET assembly loading — that are indistinguishable from legitimate administrative activity by signature alone. Endpoint detection and response (EDR) tools that analyse what a process does, not just what it is, have a much higher detection rate for this class of attack.

Configure email filtering to flag unusual archive formats. TXZ attachments are uncommon in legitimate Australian business email. An email security gateway configured to quarantine less common archive types creates an opportunity for human review before a payload can be executed.

Enable session management controls in your cloud platforms. Google Workspace, Microsoft 365, and most cloud SaaS platforms now support continuous access evaluation, which can invalidate stolen session cookies when a session is detected from an unusual location or device. Enabling this does not stop credential theft, but it limits how far an attacker can get with a stolen token before the session is terminated.

Brief your team on the specific lure types. Invoice urgency and copyright infringement notices are the two documented PureLogs lure formats. A brief, specific message to your team — "we will never send you an overdue invoice in a TXZ archive" — costs almost nothing and can break the social engineering component of the attack before it reaches the technical stage.

The Bigger Picture: Infostealers and Australia's Credential Security Problem

The PureLogs campaign does not exist in isolation. Infostealers as a category have become the dominant initial-access tool for cybercriminals targeting Australian businesses, and the economics are straightforward: a single compromised machine in a professional services firm can yield dozens of credentials across banking portals, cloud services, and client platforms. Those credentials are sold on dark web marketplaces, used directly for account takeover, or packaged into access-broker offerings for ransomware groups who pay for pre-validated entry points.

The Dvuln research reported by Infosecurity Magazine quantified what this looks like for Australia's financial sector: more than 30,000 banking credentials from major Australian banks, harvested from infostealer logs over a multi-year period, with individual records selling for less than five dollars. That figure is a floor, not a ceiling — infostealer activity is not declining.

What makes the current environment distinctly difficult for defenders is that MFA has become a false sense of security for organisations that have not moved beyond it. Infostealers, including PureLogs, specifically target session cookies — authentication artefacts that exist because MFA has already been completed. Once an attacker has a valid session cookie, they can access an account from a different device and geographic location without triggering a new MFA challenge. The ACSC's Essential Eight framework includes MFA as a mitigation strategy, but the framework's intent is for organisations to pair MFA with other controls — not to treat it as a terminal defence.

The Australian Cyber Security Centre consistently emphasises that credential security requires layered controls: application control to prevent unauthorised executables, patch management to close known credential-storage vulnerabilities, MFA as a baseline, and user awareness as the first line of detection for social engineering. PureLogs is a concrete illustration of why each layer matters: it evades signature detection (layer 1), exploits browser credential storage (layer 2), and uses social engineering to get its first foothold (layer 3).

For Australian individuals — particularly those managing self-managed super funds, running small businesses, or handling client financial information — the practical implication is the same as for organisations. The browser password manager that saves a few seconds per login is the most vulnerable point PureLogs will encounter on a compromised machine. Moving credentials to a dedicated encrypted vault is not a configuration exercise reserved for IT departments; it is a fifteen-minute task available to any individual user, and it removes the primary target from the attacker's reach.

PureLogs will not be the last infostealer campaign to target Australian credentials. The delivery mechanism in this campaign — steganography concealing a payload inside a legitimate image hosted on a legitimate CDN — was specifically chosen because it evades existing controls that defenders built in response to earlier campaigns. Attacker techniques evolve to exploit whatever defenders have left unaddressed. The appropriate response is not to wait for the next wave and patch reactively, but to remove the most commonly exploited assets — browser-stored credentials — from the equation entirely.