PureLogs: Delivery via PawsRunner Steganography

FortiGuard Labs details a phishing campaign that delivers a steganographic .NET loader called PawsRunner via a TXZ attachment and JavaScript that hides commands in environment variables; PawsRunner retrieves encrypted data hidden in PNG images (often cat photos) to load and execute the PureLogs infostealer, which collects extensive browser, wallet, application, and system data and communicates with C2 via HTTPS. The report includes a technical analysis of each stage, persistence/evasion techniques, harvested artifacts and extensions/wallets targeted, detection notes, and IOCs (IPs, URLs, SHA256 hashes).