Date: 05/18/2026
Severity: High
Summary
Steganography is rapidly gaining traction in the threat landscape. Instead of relying on direct encrypted transfers, attackers are increasingly hiding next-stage payloads inside everyday media files. A recent example uncovered by Labs involves a phishing campaign that uses environment variables to conceal malicious commands, employing PawsRunner as a steganography loader to deliver the PureLogs .NET infostealer.
Indicators of Compromise (IOC) List
Domains/URLs : | https://everycarebd.com/imagelkjh0987.png |
IP Address : | 5.101.84.202 |
Hash : | 8d0bcde739929fe41a6bcaaa62f7cba802af90b2ba8dea6ed1a4821236cdd588
6910d27b9e1dc2229a8c280f5d0cea85146d50274c56a4d9a5b8d1793505b1b9
93724f1a9ad3a28c171927fc449ac34dc6ca890f915f00210e8b305577388c6e
0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e
1b730de72f921458b6b162b105a9521a931f07e19d3cac53207c7a8efbc412f9
e2308749f6b7b7573009d0cac6616a6aa83cecb1f2933e868776400d122c86ec
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://everycarebd.com/imagelkjh0987.png" or url like "https://everycarebd.com/imagelkjh0987.png" or siteurl like "https://everycarebd.com/imagelkjh0987.png" |
Detection Query 2 : | dstipaddress IN ("5.101.84.202") or srcipaddress IN ("5.101.84.202") |
Detection Query 3 : | sha256hash IN ("e2308749f6b7b7573009d0cac6616a6aa83cecb1f2933e868776400d122c86ec","93724f1a9ad3a28c171927fc449ac34dc6ca890f915f00210e8b305577388c6e","6910d27b9e1dc2229a8c280f5d0cea85146d50274c56a4d9a5b8d1793505b1b9","1b730de72f921458b6b162b105a9521a931f07e19d3cac53207c7a8efbc412f9","8d0bcde739929fe41a6bcaaa62f7cba802af90b2ba8dea6ed1a4821236cdd588","0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e")
|
Reference:
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography