logo

Hackers Use Compromised Websites and transcript.pdf.js Lure to Deliver PureLog Stealer

ID: cb8adab9-55aa-5cd9-b36b-451158dad4e1

STIX ID: report--cb8adab9-55aa-5cd9-b36b-451158dad4e1

Feed Name: GBHackers

Threat Score
70/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

Author: Mayura Kathir

...
...

Attackers distribute a PureLog Stealer campaign using deceptive transcript.pdf.js files that launch small JavaScript stages via Windows Script Host to spawn PowerShell with execution-policy bypasses; PowerShell pulls additional, XOR-obfuscated stages from attacker-controlled Blogspot pages, decodes and reflectively loads .NET assemblies in memory, and uses LOLBINs and cleanup/delay techniques to evade detection. The stealer harvests browser credentials, cookies, autofill data, browsing history, and multiple cryptocurrency wallets, and defenders are advised to monitor PowerShell script block logging, process lineage, memory-resident .NET execution, and suspicious Invoke-RestMethod/Invoke-Expression activity.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.