In a fileless phishing campaign that spreads malware that steals data, attackers are targeting various industry sectors with copyright-infringement notices This article explores phishing campaign spreads. . According to a Trend Micro report published on Monday, the attack, which targets organizations in vital industries like healthcare, government, hospitality, and education, aims to install PureLog Stealer, a cheap infostealer thought to be simple for potential threat actors to use.

The campaign has primarily targeted government and healthcare institutions in Canada and Germany, "demonstrating selective victimology and a structured, evasive delivery framework rather than simple mass malware distribution," according to a post by Trend Micro threat researchers Jonna Santos, Allixon Kristoffer Francisco, and Mohamed Fahmy. US and Australian organizations were also targeted.

Attackers use phishing emails to gain initial access, tricking victims into downloading a malicious executable that is customized for their local language by creating a sense of urgency. ## Protect Early and Frequently In the midst of a heated geopolitical environment and an ongoing war, phishing campaigns are becoming more complex through targeted social engineering and sophisticated evasion tactics. As a result, it is more crucial than ever for organizations in critical industries to remain extremely vigilante for any kind of attack.

According to Trend Micro, the PureLog campaign's evasion and obfuscation techniques and the malware's in-memory execution highlight the significance of proactive threat hunting, network telemetry, and behavioral detection.

"With observed victims in government, healthcare, education, and hospitality sectors across multiple countries, this activity reflects a shift away from broad, opportunistic malware distribution toward more selective targeting," the researchers wrote. Organizations can train users to view any unexpected legal or financial claims that appear in their inboxes as high risk and set filters to flag or sandbox messages with legal threats and attachments in order to prevent compromise. Defenders can limit the execution of scripts and loaders further down the attack chain by using application allowlisting to approve only specific scripts or binaries, monitoring for suspicious use of legitimate tools, and disabling or controlling tightly unauthorized Python execution on endpoints.