Attackers Hide Infostealer in Copyright-Infringement Notices

Fileless phishing campaigns have become a preferred vector for threat actors seeking to slip past traditional endpoint defenses. The latest operation, uncovered by Trend Micro, leverages copyright‑infringement notices to lure victims into opening what appears to be a PDF legal warning. By tailoring the email language to the recipient’s locale, the attackers increase credibility and boost click‑through rates. This social‑engineering twist mirrors a broader shift toward context‑aware lures, where malicious payloads are hidden behind seemingly legitimate regulatory communications. Such campaigns exploit the trust placed in regulatory correspondence, making them especially dangerous for compliance‑focused enterprises.

The payload itself is PureLog Stealer, a low‑cost infostealer that harvests credentials, browser data, and system information. Delivery relies on a two‑stage loader chain: an initial Python‑based component performs sandbox checks before decrypting two successive .NET loaders. This architecture enables full in‑memory execution, leaving minimal forensic artifacts on disk. Moreover, the code incorporates specific bypasses for Windows Defender’s Antimalware Scan Interface, as well as anti‑virtual‑machine tricks and heavy obfuscation, allowing the malware to remain invisible to many conventional security products. The in‑memory design also complicates incident response, as traditional file‑hash hunting yields few leads.

The targeting of healthcare, government, hospitality and education institutions across Germany, Canada, the United States and Australia underscores the campaign’s strategic focus on high‑value data environments. Organizations that rely on legacy email filters or signature‑based AV solutions may find themselves exposed to this fileless approach. To mitigate the risk, security teams should adopt behavior‑based detection, enforce strict attachment sandboxing, and conduct regular phishing awareness training that highlights atypical legal‑notice lures. As attackers continue to refine multi‑loader, in‑memory techniques, a layered defense model becomes essential for protecting critical assets. Investing in threat‑intel sharing platforms can further accelerate detection of emerging loader patterns across sectors.