Hackers Are Hiding Credential Stealers Inside Cat Photo Emails—Fortinet Caught PawsRunner Pulling PureLogs Out of PNG Files Using iTXt and IEND Steganography Markers, And the C2 at 5.101.84.202 Has Been Hitting Inboxes Since May 15

The phishing email looks like an invoice. The attached TXZ archive looks like a routine compressed file. Inside is a JavaScript payload commented in six languages—Chinese, Japanese, Korean, Russian, Hindi, and Arabic—because the people who built it are betting your security tools will not read past the noise. Eight minutes later, a hidden PowerShell window is downloading a PNG of a cat. By the time the image loads, PawsRunner has carved an encrypted .NET binary out of two PNG chunk markers, decoded PureLogs into memory, and started hoovering up the browser credentials, crypto wallet seeds, and password manager vaults of whoever opened the attachment.

Key Takeaways

• Fortinet published the PawsRunner steganography analysis on May 15, 2026, and Help Net Security broke the campaign on May 19, 2026.
• PawsRunner is a .NET assembly loader that extracts encrypted PureLogs payloads from PNG image files using iTXt and IEND chunk markers as boundaries.
• The campaign C2 server at 5.101.84.202 is hosting the malicious PNG at hxxps://everycarebd[.]com/imagelkjh0987[.]png.
• PureLogs steals data from password managers including Bitwarden, LastPass, and 1Password, plus over 100 crypto wallet extensions and desktop wallets.
• The loader bypasses Event Tracing for Windows and uses async/await execution patterns to evade in memory detection on Windows 11.

What Is the PawsRunner Loader?

PawsRunner is a .NET assembly loader that fetches a PNG image over HTTPS, then extracts a hidden payload from inside the file using PNG chunk markers as boundaries. Fortinet's threat research team named it after the cat images the loader ships with as its application icon—a small artifact that links samples back to a single developer's habits across multiple campaigns.

The technique is steganography: real image data on the wire, real PNG headers, real iTXt and IEND chunks. Standard antivirus engines do not unpack PNG chunks looking for .NET binaries, because legitimate software does not hide .NET binaries in PNG chunks. The loader does, and once it has the bytes, it decrypts them with RC4, decompresses them in memory, and hands execution to PureLogs without ever writing the binary to disk.

How Does the Attack Chain Work?

The campaign starts with an invoice themed phishing email containing a TXZ archive—an uncommon compression format that slips through email gateways tuned to filter ZIP and RAR. The extracted JavaScript stores commands in process environment variables, padded with garbled multilingual comments designed to inflate file entropy and break static analysis heuristics.

The JavaScript launches a hidden PowerShell session using -w hidden and a headless conhost.exe invocation, then decodes, decrypts, and decompresses the PawsRunner .NET assembly directly into memory. PawsRunner decrypts an RC4 protected download URL—Fortinet observed hxxps://everycarebd[.]com/imagelkjh0987[.]png resolving to the C2 at 5.101.84.202—and tries multiple network APIs to fetch the PNG.

Inside the PNG, two markers bracket the encrypted payload: iTXt (international textual data) and IEND (end of image). PawsRunner reads everything between them as ciphertext, decrypts it with AES, and reconstructs PureLogs in memory. Earlier variants of the loader pulled the same trick from a PNG hosted on archive.org, blending malicious traffic into requests to the Internet Archive.

What Does PureLogs Steal?

PureLogs is a commodity .NET infostealer that has been on underground forums since 2022, sold by a developer known as PureCoder for as little as $150 per month. Once PawsRunner detonates it, the stealer harvests credentials, cookies, and autofill data from dozens of Chromium and Firefox forks—the long tail of less popular browsers that security teams rarely monitor.

The target list is wide: password managers (Bitwarden, LastPass, 1Password), browser based authenticators, over 100 crypto wallet extensions and desktop wallets, plus communication apps (Discord, Telegram, Signal) and a long bench of desktop tools that store credentials locally—Steam, OpenVPN, OBS Studio, FileZilla, WinSCP, FoxMail, MailBird, and Outlook. Exfiltrated data leaves over HTTPS, AES encrypted, in chunks small enough to hide inside legitimate network traffic.

Why Does the PNG Trick Bypass Detection?

Three layers of evasion stack here. First, the delivery format—a TXZ archive—is rarely on the blocklist of corporate email gateways. Second, the JavaScript loader uses asynchronous execution patterns and multilingual decoy comments to inflate complexity and dodge signature based detection. Third, the payload never lives on disk as a .dll or .exe. It exists only as bytes inside a PNG until PawsRunner reassembles it in memory.

PawsRunner also disables Event Tracing for Windows (ETW), one of the primary telemetry sources used by EDR products to spot in memory threats. With ETW patched, Windows 11's built in malware behavior monitor goes blind to the chain. Fortinet flagged the samples under six different detection signatures—EML/Phishing.973A!tr, JS/Formbook.VEN!tr, MSIL/Agent.6942!tr, MSIL/WSA!tr, MSIL/Kryptik.AQAJ!tr, and MSIL/WOF!tr—because each stage of the chain is distinct enough to need its own rule.

What Should Defenders Do Right Now?

Fortinet's recommendations are practical and unglamorous. Block uncommon archive formats (TXZ, ACE, ARJ, ISO) at the email gateway. Monitor PowerShell processes spawned from email client child processes—if Outlook or Thunderbird is launching powershell.exe -w hidden, that is the entire chain in one line. Restrict JavaScript execution from email attachments; modern productivity suites do not need it.

Endpoint detection should hunt for the indicators Fortinet published: the six PawsRunner SHA256 hashes, the C2 IP 5.101.84.202, and DNS lookups to everycarebd[.]com. The hashes are:

• 8d0bcde739929fe41a6bcaaa62f7cba802af90b2ba8dea6ed1a4821236cdd588
• 6910d27b9e1dc2229a8c280f5d0cea85146d50274c56a4d9a5b8d1793505b1b9
• 93724f1a9ad3a28c171927fc449ac34dc6ca890f915f00210e8b305577388c6e
• 0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e
• 1b730de72f921458b6b162b105a9521a931f07e19d3cac53207c7a8efbc412f9
• e2308749f6b7b7573009d0cac6616a6aa83cecb1f2933e868776400d122c86ec

User training still matters. The lure here is an invoice—the same lure infosec teams have been warning about since the early 2010s. What changed is what is inside the attachment: not a macro, not a script, not a PE file your gateway can identify, but a JavaScript runner that builds the malware from pieces of a cat photo on a server in another country.

The Bigger Pattern

PureLogs is not the only commodity stealer riding steganography in 2026. The same technique surfaced earlier this year hiding payloads inside images on Archive.org and Hugging Face—see our coverage of the OpenOSS Privacy Filter Hugging Face infostealer. As detection vendors get better at blocking the obvious—PE files, macro documents, signed installers carrying junk—the malware economy is migrating to formats that look like content, not code. A cat photo. A PDF cover image. An SVG attachment with a hidden script. Each one is a delivery primitive that bypasses the assumption baked into 30 years of email security: that the dangerous part of an attachment is the file extension.

For now, the cat sleeps. The PowerShell window flickers. PureLogs reads your password manager. And the C2 at 5.101.84.202 keeps answering requests until someone, somewhere, takes it down. For context on the wider 2026 phishing landscape, see Microsoft's Q1 2026 phishing report (8.3 billion threats, QR codes surging 146%).