Copyright Phishing Delivers PureLog Stealer to Healthcare, Gov

A targeted phishing campaign is deploying PureLog Stealer through fake copyright infringement notices, primarily hitting healthcare and government organizations in Germany and Canada. The operation uses language-matched lures and fileless execution techniques that complicate detection and forensic analysis.

Trend Micro researchers documented the multi-stage attack chain, noting the campaign's selective targeting and structured evasion framework. The choice of copyright violation themes proves effective because recipients often feel compelled to respond to potential legal threats.

How the Attack Works

The campaign begins with convincing phishing emails that appear to be copyright violation notices. These aren't generic spam blasts—the threat actors craft messages in the recipient's native language and tailor content to the target organization's industry.

When victims click the attachment or link, they trigger a multi-stage loader sequence:

1. A Python-based initial loader executes
2. Dual .NET loaders deploy in sequence
3. PureLog Stealer runs entirely in memory

The fileless approach means the malware never writes its primary payload to disk, evading many endpoint detection solutions that rely on file scanning. This mirrors techniques we've seen in other sophisticated campaigns targeting enterprises.

Why Copyright Lures Work

Copyright infringement notices trigger strong psychological responses. Recipients worry about legal consequences, potential fines, or professional embarrassment. This urgency overrides normal caution about suspicious emails.

The tactic works especially well against organizations that regularly handle intellectual property or creative content—exactly the profile that describes many healthcare communications teams and government agencies managing public-facing materials.

For a deeper understanding of how attackers manipulate victims through psychological pressure, our social engineering guide breaks down these manipulation techniques.

What PureLog Steals

Once active, PureLog establishes persistence through registry modifications and begins systematic data theft:

• Browser credentials from Chrome and other Chromium-based browsers
• Browser extensions including password managers and crypto wallets
• Cryptocurrency wallet data from desktop applications
• System screenshots capturing visible content at infection time
• System profiles including hardware information and installed software

The stealer represents a relatively low-cost option in the malware-as-a-service ecosystem, making it accessible to operators without deep technical expertise. Despite its affordability, PureLog's capabilities rival more expensive alternatives.

Target Selection

The campaign's focus on healthcare and government sectors in Germany and Canada suggests specific operational objectives rather than opportunistic crime. These sectors hold:

• Patient medical records and personal health information
• Government employee credentials and internal communications
• Access to sensitive infrastructure and systems
• High-value data for secondary exploitation or sale

Healthcare organizations continue facing elevated threat levels in 2026. The wave of breaches affecting millions of patients demonstrates why threat actors consider the sector attractive despite increased regulatory scrutiny.

Detection Guidance

The fileless execution chain requires behavior-based detection rather than signature scanning. Security teams should monitor for:

1. Python interpreter spawning from Office applications - The initial loader often executes through document macros
2. .NET assembly loading from non-standard paths - The dual loader stage uses unusual execution contexts
3. Registry modifications for persistence - PureLog writes specific keys to survive reboots
4. Screenshot capture API calls - The malware uses standard Windows APIs for screen capture
5. Connections to unfamiliar C2 infrastructure - Exfiltration occurs over HTTPS to attacker-controlled servers

Organizations in the targeted sectors should also conduct user awareness training specifically around legal-themed phishing. Staff who handle copyright matters should know how to verify legitimate complaints through official channels rather than clicking email links.

Why This Matters

The combination of sector-specific targeting, language-matched lures, and fileless execution indicates a well-resourced operation. Whether the motivation is financial (credential theft for sale) or strategic (targeting government systems), the operational discipline suggests this isn't a spray-and-pray campaign.

Healthcare and government security teams in Germany and Canada should treat this as an active threat. The copyright violation theme will likely expand to other regions as operators refine their playbook.

For organizations concerned about phishing threats, reviewing real-world phishing examples can help train staff to recognize suspicious messages before they click.