Canndelta ClickFix Campaign Abusing Donut Shellcode to Deploy PureLogs Stealer

    Wednesday, June 3, 2026 In: Threat Research Print

    Date: 06/03/2026

    Severity: High

    Summary

    This research analyzes a ClickFix campaign leveraging the spoofed licensing-themed website canndelta.com to deliver the PureLogs stealer through malicious PowerShell commands. The attack uses Donut shellcode, fileless execution, RWX memory allocation, and in-memory .NET assembly loading to evade detection. Once executed, PureLogs steals browser credentials, Windows secrets, cryptocurrency wallet data, password manager information, and session tokens. The malware also establishes TCP-based C2 communication to exfiltrate stolen data and receive attacker-controlled configurations.

    Indicators of Compromise (IOC) List 

    Domain : 

    https://canndelta.com

    http://158.94.208.104/x7GkP2mQ9zL4/my_new_l.bin

    http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin

    IP Address:

    178.16.52.232

    158.94.208.92

    Hash : 

    0099deccd390e229895d0c508882632569f9533e42d33a675885ee7f4f5164f3

    61b453cfedc6c67d9744b963bc3cabbee33f53606fdbf80da04bc3d4c93eb4fb

    9bb96fa6aee45120d14660506320932691310adef4353e684775f590a17c22fc

    ac86d43aa69faf616e7d82732c2138edf7f6e239c05cfca3b85b820aa3f3ec5a

    670dfec73872afec18093e8425fb07cc8aab9f4a838995333419d0298c73a5a2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin" or url like "http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin" or siteurl like "http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin" or domainname like "http://158.94.208.104/x7GkP2mQ9zL4/my_new_l.bin" or url like "http://158.94.208.104/x7GkP2mQ9zL4/my_new_l.bin" or siteurl like "http://158.94.208.104/x7GkP2mQ9zL4/my_new_l.bin" 

    Detection Query 2 :

    dstipaddress IN ("178.16.52.232") or srcipaddress IN ("178.16.52.232") or dstipaddress IN ("158.94.208.92") or srcipaddress IN ("158.94.208.92")

    Detection Query 3 :

    sha256hash IN ("9bb96fa6aee45120d14660506320932691310adef4353e684775f590a17c22fc","ac86d43aa69faf616e7d82732c2138edf7f6e239c05cfca3b85b820aa3f3ec5a","670dfec73872afec18093e8425fb07cc8aab9f4a838995333419d0298c73a5a2")

    Reference:    

    https://gurucul.com/blog/canndelta-clickfix-campaign-abusing-donut-shellcode-to-deploy-purelogs-stealer/  


    Tags

    MalwareThreat ActorClickFixStealerSocial EngineeringLOLBinscryptocurrencyShellcodeExfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.