PureLogs: Delivery via PawsRunner Steganography

Pulse ID: 6a12845778deef28f0ac5fc3
Pulse Link: https://otx.alienvault.com/pulse/6a12845778deef28f0ac5fc3
Pulse Author: Tr1sa111
Created: 2026-05-24 04:53:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Steganography #bot #Tr1sa111

UAC0184 Steganography Based Remcos Campaign

UAC0184 runs a multi-stage phishing campaign using fake documents and shortcut files to trick users into execution. The attack abuses legitimate Windows tools like BITSAdmin and PowerShell to download and run malicious content. It uses steganography to hide malware inside image files, which is then extracted by a loader.

Pulse ID: 6a10b4b34a90f600cf8a1fc7
Pulse Link: https://otx.alienvault.com/pulse/6a10b4b34a90f600cf8a1fc7
Pulse Author: cryptocti
Created: 2026-05-22 19:55:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #PowerShell #Remcos #Steganography #Windows #bot #cryptocti

This spectrogram video shows how the words are encoded in "Spectre Inspector", one of the tracks on my album, Steganogram. I'll probably be releasing a couple more of these at some point so stay tuned!

#MusicProduction #Steganography

https://www.youtube.com/watch?v=R4ObYP1YyZ4

PureLogs: Delivery via PawsRunner Steganography

Attackers are concealing .NET infostealers within seemingly innocuous images to evade detection. A phishing campaign uses TXZ archive attachments with invoice-themed lures to initiate infection. The embedded JavaScript leverages environment variables to hide malicious commands, launching PowerShell to decode and decrypt payloads. PawsRunner, a steganography loader, extracts encrypted data from PNG images containing cat photos. This loader evolved from simple PE downloads to sophisticated steganographic extraction with fallback mechanisms. The final payload, PureLogs version 5.0.0, is a comprehensive infostealer from the Pure family that harvests credentials from browsers, cryptocurrency wallets, password managers, communication apps, and other applications. It employs extensive async/await patterns and communicates with command and control infrastructure via HTTPS using multiple endpoints to exfiltrate encrypted and compressed stolen data.

Pulse ID: 6a0f272cd9c82db936e6a249
Pulse Link: https://otx.alienvault.com/pulse/6a0f272cd9c82db936e6a249
Pulse Author: AlienVault
Created: 2026-05-21 15:39:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Browser #CyberSecurity #Endpoint #HTTP #HTTPS #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #Password #Phishing #PowerShell #RAT #SMS #Steganography #Word #bot #cryptocurrency #AlienVault

Porting SafeText and analyzing digital content with Apache Tika

Last year I wrote about pitfalls in modern journalism, especially with regards to receiving documents and information from whistleblowers without offering them adequate protection.

The tl;dr is that you, as a whistleblower, need to protect yourself; and you, as an editor or journalist, need to protect your whistleblowers.

Steganographic fingerprints might be one method adopted to detect someone leaking information. Steganographic characters replace common textual characters with unusual but hard to detect variants, e.g. they look the same to the human eye, or are actually invisible. Using a tool called SafeText by David Jacobson we can identify these hidden fingerprints in the content that you share.

I firmly believe we can find clues about what is important to preserve, or learn to preserve, when we analyse the content of the digital record and not just the (file) format of the digital record.

A file can contain many different features and these are all challenges to their future interpretation, and thus preservation.

I wanted to use SafeText in some of my other non-Python tooling and so I decided to port the code to Golang as a composable module and binary.

By coincidence at the time I started writing this I had also just written about revisiting tikalinkextract and so I thought I would write this small explanation about how you might combine Tika and SafeText to perform some content analysis of your own.

Who knows, maybe we will find a conspiracy. Maybe we’ll find secret codes in our own digital records. Maybe we’ll learn something new about our records…

Lets have a look at putting Tika and SafeText together and see where it goes.

PawsRunner Loader Uses Steganography to Deliver PureLogs Infostealer Malware

Pulse ID: 6a0b7b1379ddcc804b8f4420
Pulse Link: https://otx.alienvault.com/pulse/6a0b7b1379ddcc804b8f4420
Pulse Author: cryptocti
Created: 2026-05-18 20:48:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Steganography #bot #cryptocti

PureLogs: Delivery via PawsRunner Steganography | FortiGuard Labs

Fortinet is a global security provider, providing security services for more than 1.5 million customers across the globe, including the world's largest network, and a report on the global threat landscape.

Pulse ID: 6a0a9b64431abfcd7fccd5a1
Pulse Link: https://otx.alienvault.com/pulse/6a0a9b64431abfcd7fccd5a1
Pulse Author: Tr1sa111
Created: 2026-05-18 04:53:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #FortiGuard #FortiGuardLabs #InfoSec #OTX #OpenThreatExchange #Steganography #bot #Tr1sa111

🕶️ 2026.lat – Invisible watermark tool.

Compress images, rename sequentially, and hide ANY secret text inside pixels (LSB steganography). No server uploads. No tracking. 100% local.🤍

Choose visible watermark or invisible message. Extract later with one click.🧊

🔗 https://2026.lat

#Privacy #Steganography #OpenWeb #NoTracking #mastodon

---
#culture #photo