3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
PureLog Stealer

PureLog Stealer

ID: dce4ea460c69a84b029cf6527ab7d49584199
Crimeware Spyware/Stealer
Threat types: Cybercrime, Information Stealer, Malware
Unknown AUS, CAN, DEU, USA
Updated: 2026-03-25
Created: 2026-03-23
Progress: 91% Completeness: 92% Freshness: 90%
Operation zone: Australia, Canada, Germany, United States
Aliases Limited alias preview
PureCoder PureLog Pu**************** Pu**************
Pu************
Showing 2 of 5 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

PureLog Stealer (PureLogs) is a commodity Windows information stealer associated with the broader PureCoder malware ecosystem. Public reporting since 2022 links it to low-cost criminal sales, browser and wallet data theft, and more recent selective campaigns using staged, fileless, or in-memory execution.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2022-12-27 — Cyble described a malicious spam campaign targeting Italian users with PureLogs delivery. · ref
  • 2026-03-19 — Trend Micro documented highly targeted, language-matched lures disguised as legal copyright violation notices. · ref
T1204.002 Malicious File TA0002
  • 2026-03-19 — Users are tricked into executing a disguised malicious file presented as a copyright complaint notice. · ref
  • 2026-01-19 — Swiss Post described a malicious JScript file initiating the PURELOGS chain after user execution. · ref
T1059.001 PowerShell TA0002
  • 2026-01-19 — PowerShell was used to decode and execute the staged payload in memory after the JScript loader ran. · ref
  • 2025-09-16 — INFERENCE (confidence: medium): Pure family campaigns described by Check Point include malicious PowerShell as part of delivery and execution chains, supporting similar use around PureLog deployments. · ref
T1059.007 JavaScript TA0002
  • 2026-01-19 — Swiss Post explicitly described a Windows Script Host JScript file as the initial access and staging component. · ref
T1027 Obfuscated Files or Information TA0005
  • 2024-10-10 — Flashpoint described PureLogs as using multiple stages of assemblies packed with .NET Reactor. · ref
  • 2026-01-19 — Swiss Post observed ConfuserEx, .NET Reactor, custom virtualization, encrypted strings, XOR, and 3DES-related protection in PURELOGS analysis. · ref
T1105 Ingress Tool Transfer TA0011
  • 2026-03-19 — Trend Micro reported staged retrieval of an encrypted payload and a separate remotely retrieved password / key from attacker-controlled infrastructure. · ref
  • 2026-01-19 — Swiss Post described downloading a payload-bearing PNG from archive.org as part of the infection chain. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2026-03-19 — Trend Micro reported persistence via HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with the value name 'SystemSettings'. · ref
  • 2026-03-19 — Trend Micro IOC companion file records the Run-key persistence value and associated fake svchost path. · ref
T1113 Screen Capture TA0009
  • 2026-03-19 — Trend Micro stated that screenshot capture was integrated into the loader for stealth and intelligence gathering. · ref
T1082 System Information Discovery TA0007
  • 2024-10-10 — Flashpoint mapped PureLogs to System Information Discovery and described system data collection as part of the malware’s scope. · ref
  • 2026-03-19 — Trend Micro reported victim fingerprinting and system information harvesting in the observed campaign. · ref
T1555.003 Credentials from Web Browsers TA0006
  • 2022-12-27 — Cyble reported that PureLogs targets browser passwords, cookies, history, autofill, and extensions. · ref
  • 2026-03-19 — Trend Micro reported Chrome browser credentials and extensions among the harvested data. · ref
T1005 Data from Local System TA0009
  • 2022-12-27 — Cyble documented PureLogs’ theft of browser, wallet, FTP, email, VPN, and additional local application data. · ref
  • 2026-01-19 — Swiss Post described modular collection against multiple local applications including Telegram, Signal, Outlook, and VPN tools. · ref
T1071.001 Web Protocols TA0011
  • 2024-10-10 — Flashpoint mapped PureLogs to Application Layer Protocol for command-and-control and exfiltration. · ref
  • 2026-03-19 — Trend Micro reported HTTPS POST exfiltration of collected JSON data to the C2 server. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-24T03:03:29+00:00
PureLog Stealer — Commodity infostealer within the PureCoder malware ecosystem

Classification: TLP:WHITE - Open Source Intelligence (OSINT)

Category: Cybercrime / Information Stealer / Malware Ecosystem - Origin: Unknown

Author: iQBlack CTI Team


Executive Summary

PureLog Stealer (also referred to in public reporting as PureLogs) is a commodity Windows information stealer associated with the wider “Pure” malware ecosystem marketed and maintained by the operator or developer alias “PureCoder.” Public reporting since 2022 consistently places PureLog in a low-cost criminal tooling stack that also includes PureCrypter, PureHVNC / PureRAT, PureMiner, and related loaders or distribution components. The available evidence supports treating PureLog primarily as a malware product and criminal service component rather than as a single actor or tightly bounded intrusion set.


Operationally, PureLog’s value proposition is straightforward: steal browser credentials and browser artifacts, cryptocurrency wallet data, system and user information, messaging and VPN-related data, and additional material from common end-user applications. Public analysis also indicates that PureLog is modular, can be wrapped or staged through PureCrypter or adjacent loaders, and is attractive to both low-sophistication operators and more capable actors because of its low entry cost, broad data-harvesting scope, and multiple evasive delivery options.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — PureLog StealerClassification: TLP:WHITE - Open Source Intelligence (OSINT)What it isPureLog Stealer is a commodity Windows infostealer associated with the broader PureCoder malware ecosystem. It is designed to steal browser credentials, cookies, extensions, cryptocurrency wallet data, system information, messaging-related artifacts, email client data, and VPN-related material. Public reporting since 2022 places it inside a criminal product portfolio that

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — PureLog StealerScope: Windows endpoints, email telemetry, script execution logs, EDR process trees, registry telemetry, web proxy / DNS / firewall logs, browser credential theft follow-up.Analytical framing: PureLog is a commodity infostealer in the PureCoder ecosystem. Hunts should focus on user-driven staging, script execution, in-memory loaders, suspicious persistence, archive extraction patterns, and post-execution outbound traffic rather than on a single hash or

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-24T03:07:22+00:00


This appendix provides a practical seed set of indicators and patterns associated with PureLog / PureLogs activity as observed in public reporting. Indicators should be used with context. Several items are campaign-specific and better suited for hunting, pivoting, or enrichment than for long-term blocking.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-24T03:07:42+00:00

OSINT Library — PureLog Stealer


2022-06-13 — Zscaler ThreatLabz — “Technical Analysis of PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information Stealers”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/13
Address Verification SOCMINT
t.me/pur********* Restricted Not integrated
t.me/pur********* Restricted Not integrated
t.me/Pur************** Restricted Not integrated
t.me/Pur***************** Restricted Not integrated
t.me/pur******** Restricted Not integrated
t.me/pur********* Restricted Not integrated
t.me/Pur************* Restricted Not integrated
t.me/Pur********** Restricted Not integrated
t.me/Pur************ Restricted Not integrated
t.me/Pur*********** Restricted Not integrated
Address Verification SOCMINT
purecoder.io Restricted Not integrated
purecoder.sellix.io Restricted Not integrated
purerat.com Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–3 of 3 images
Logo Free Preview
Logo
Logo Free Preview
Logo
Logo Free Preview
Logo