PawsRunner Malware Hides Inside Cat Images to Steal Browser Passwords and Crypto Wallets

Listen to this Post

Featured Image

Introduction

Cybercriminals are evolving faster than many security systems can keep up. Traditional malware campaigns once relied on obvious malicious files or suspicious downloads, but modern attackers are becoming far more creative. Today’s threat actors increasingly hide their payloads inside harmless-looking media files, using advanced stealth techniques designed to avoid antivirus detection and fool even experienced users.

A newly uncovered phishing campaign analyzed by researchers at Fortinet and its FortiGuard Labs team demonstrates how dangerous this trend has become. The operation uses a sophisticated malware loader called PawsRunner to secretly deploy the PureLogs infostealer. What makes this campaign especially alarming is its use of steganography, fileless execution, encrypted payloads, and fake cat images to silently compromise victims and harvest sensitive data.

Fake Invoice Emails Begin the Attack

The infection chain starts with a carefully crafted phishing email disguised as an urgent invoice notification. Attackers pressure recipients into opening an attached archive immediately, exploiting panic and curiosity to increase the likelihood of interaction.

Inside the attachment is a TXZ compressed archive containing a heavily obfuscated JavaScript payload. The script is intentionally packed with random multilingual comments written in Chinese, Japanese, Russian, and other languages. This clutter is designed to confuse analysts and slow down reverse engineering efforts.

Once executed, the JavaScript quietly creates hidden environment variables on the victim’s machine. It then launches a concealed PowerShell session in the background, ensuring the malicious commands run silently without raising user suspicion.

The PowerShell component performs several advanced operations. It decodes hidden data, decrypts it using Advanced Encryption Standard encryption, and decompresses the content directly into memory. This approach enables the malware to execute in a completely fileless manner, meaning very little evidence is written to the victim’s hard drive.

PawsRunner Uses Cat Photos as a Disguise

After the initial loader completes execution, it decrypts and launches the main PawsRunner malware component. Researchers observed a strange but consistent characteristic in the malware family: the developers repeatedly use cat images and cat-themed application icons throughout the campaign.

The malware then attempts to establish communication with remote infrastructure using multiple network techniques. Once connected, it downloads what appears to be an innocent PNG image from an attacker-controlled server.

However, the image is not harmless at all.

Hidden deep inside the PNG file is encrypted malicious data embedded using steganography. This technique allows attackers to conceal malware within normal image structures, making detection significantly harder for conventional scanning engines.

If one malicious image server becomes unavailable, PawsRunner automatically switches to backup URLs using an internal fallback mechanism. This redundancy ensures the malware operation remains active even if part of the infrastructure is disrupted by defenders.

PureLogs Launches Aggressive Data Theft Operations

Once fully deployed, PureLogs immediately begins harvesting sensitive information from the infected system. According to researchers, the infostealer runs several background processes simultaneously and rapidly transmits stolen data back to remote servers.

The malware aggressively targets financial credentials, browser information, authentication tools, and cryptocurrency wallets.

Among the stolen data are:

Login credentials and browsing history from more than 80 browsers, including Chrome, Edge, Brave, and Firefox

Password manager databases and authentication applications

Recovery phrases and private cryptocurrency keys

Browser wallet extensions linked to digital asset platforms

Sensitive data from MetaMask, Trust Wallet, Binance Chain, SafePal, and many others

The malware’s design focuses on speed and efficiency. Instead of collecting everything first and exfiltrating later, PureLogs sends data back to the attackers immediately after discovery. This minimizes the chance defenders can stop the theft before damage occurs.

Steganography Makes Detection Far More Difficult

One of the most dangerous aspects of this campaign is the use of steganography. Unlike traditional malware delivery methods that rely on executable files or suspicious scripts, steganography hides malicious payloads inside ordinary-looking media content.

To the victim and many security products, the downloaded PNG appears to be nothing more than a standard cat image. But hidden within its binary structure lies encrypted malware data waiting to be extracted and executed.

This approach significantly reduces the likelihood of detection because image files are generally trusted by users and often bypass stricter security inspection pipelines.

Combined with fileless execution and encrypted payload delivery, the attack demonstrates how modern malware developers are blending multiple evasion tactics into a single operation.

Cryptocurrency Wallets Become Prime Targets

The campaign also highlights how heavily cybercriminals are focusing on cryptocurrency theft. Browser wallet extensions have become extremely valuable targets because they frequently contain direct access to digital assets worth thousands or even millions of dollars.

Researchers identified several targeted wallet extensions and platforms, including:

Extension Name Extension ID

SafePal lgmpcpglpngdoalbgeoldeajfclnhafa

Pontem Aptos phkbamefinggmakgklpkljjmgibohnba

OKX mcohilncbfahbmgdjkbpemcciiolgcge

xverse.app idnnbdplmphpflfnlkomgpfbpcgelopg

Attackers are increasingly aware that browser-based crypto wallets often lack the stronger protections found in hardware wallets. Once recovery phrases or private keys are stolen, victims typically have no way to recover their digital assets.

What Undercode Say:

The PawsRunner campaign represents a major shift in malware delivery sophistication. Instead of relying solely on exploits or direct payload downloads, attackers are now weaponizing trust itself. Cat images, invoice emails, multilingual comments, and encrypted loaders are all carefully selected to appear ordinary while concealing dangerous functionality underneath.

This operation also demonstrates how fileless malware continues to mature. Traditional antivirus solutions historically depended on identifying suspicious files stored on disk. But memory-resident malware dramatically reduces the available forensic footprint, making detection much more difficult for endpoint security products.

Another important detail is the psychological design behind the phishing emails. Fake invoices remain one of the most effective lures because they create urgency. Victims often act before thinking critically, especially in business environments where invoices and compressed attachments are common.

The use of TXZ archives is another subtle tactic. Many users are less familiar with TXZ compared to ZIP or RAR files, which may reduce suspicion. Attackers constantly search for overlooked file formats that evade automated scanning systems.

Steganography itself is not new, but its increasing appearance in active malware campaigns signals a worrying trend. By embedding encrypted payloads inside PNG files, attackers can exploit the fact that image traffic is usually treated as low-risk by many security architectures.

The fallback download mechanism also shows operational maturity. Modern malware campaigns are no longer fragile one-server operations. Threat actors now build resilient infrastructures capable of surviving takedowns and disruptions.

PureLogs targeting more than 80 browsers reveals how centralized browser ecosystems have become. Browsers now store passwords, payment details, session tokens, authentication cookies, and crypto wallets all in one place. Compromising a browser effectively compromises a victim’s digital identity.

Cryptocurrency users face particularly high risk. Browser extensions remain convenient but dangerous. Once attackers steal seed phrases or wallet credentials, the theft is usually irreversible. Unlike traditional banking systems, crypto transactions rarely provide fraud recovery options.

The malware’s rapid exfiltration behavior is also important. Immediate data transmission minimizes the defender’s response window. Even if the malware is discovered shortly after infection, the sensitive data may already be gone.

This campaign further proves that visual trust remains one of cybersecurity’s weakest points. Humans instinctively trust images more than executables, which attackers are exploiting aggressively.

Organizations should strengthen email filtering systems capable of analyzing compressed attachments and detecting obfuscated scripts. Endpoint monitoring should also focus more heavily on suspicious PowerShell behavior and unusual memory execution patterns.

Users should avoid opening invoice attachments from unknown sources, especially compressed archives. Enabling multi-factor authentication can reduce the impact of credential theft, although stolen session tokens may still pose serious risks.

Crypto holders should strongly consider hardware wallets instead of browser-based storage solutions. Hardware wallets isolate private keys from browsers and significantly reduce exposure to infostealer malware.

Security awareness training must also evolve. Employees should understand that malware no longer arrives only as obvious executable files. Harmless-looking media content can now act as malware carriers.

The PawsRunner operation is a reminder that modern cybercrime increasingly combines psychology, encryption, stealth engineering, and automation into highly effective attack chains capable of bypassing traditional defenses with alarming success.

Fact Checker Results

✅ FortiGuard Labs researchers identified a phishing campaign using the PawsRunner loader to deploy the PureLogs infostealer.

✅ The malware uses steganography and hides encrypted payloads inside PNG image files disguised as harmless cat pictures.

✅ PureLogs specifically targets browser credentials, password managers, and cryptocurrency wallet extensions including MetaMask, SafePal, and Trust Wallet.

Prediction

🔮 Malware campaigns using steganography will become significantly more common as attackers seek to bypass AI-driven security scanning systems.

🔮 Browser-based cryptocurrency wallets will remain one of the primary targets for infostealer malware throughout the next few years.

🔮 Future phishing campaigns will likely combine fileless malware, encrypted memory execution, and AI-generated social engineering to increase infection success rates while reducing detection.

🕵️‍📝Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon