Listen to this Post
Introduction
A new malware campaign distributing a variant of the PureLogs infostealer has been uncovered, revealing a highly evasive infection chain built around phishing emails disguised as purchase orders. The attack leverages malicious JavaScript, PowerShell execution, in-memory .NET loading, and process hollowing techniques to silently compromise Windows systems. Security researchers from FortiGuard Labs report that the campaign is designed for stealth, persistence avoidance, and large-scale credential and cryptocurrency theft, making it a serious threat to both enterprise and individual users.
Summary of the Original Report
The PureLogs infostealer variant has been actively distributed through phishing emails themed around fake purchase orders, where attackers rely on social engineering to trick victims into opening a RAR archive attachment. The email typically encourages the recipient to open what appears to be a legitimate purchase document, but the archive instead contains a malicious JavaScript file that initiates the infection process. In some cases, security filters such as FortiMail flagged the email as malicious and blocked delivery, but lab analysis confirmed the full execution chain in controlled environments. Once executed, the JavaScript component decrypts embedded PowerShell commands and writes them into a randomly named .ps1 file located in the Windows C:\Temp directory. This script is then executed using PowerShell with execution policy bypass enabled, no user profile loaded, and the execution window hidden to avoid detection. The PowerShell payload itself contains Base64 encoded and XOR-rotated encrypted data that is decoded and executed entirely in memory, enabling a fileless attack approach. Further stages involve extracting .NET modules directly in memory, which are then used to perform process hollowing into MsBuild.exe, a legitimate Windows binary, allowing the malware to blend into trusted system activity. The embedded .NET loader decrypts additional components using DES encryption and decompresses them in memory before contacting a command-and-control server. From there, it downloads a plugin module identified as a fileless PureLogs variant. This module is responsible for harvesting sensitive data such as system information, screenshots, clipboard content, browser credentials, cookies, session tokens, Discord authentication tokens, and cryptocurrency wallet data. It also extracts credentials from widely used applications including Outlook, FileZilla, OpenVPN, and ProtonVPN. The malware targets a wide range of browsers such as Chrome, Edge, Brave, Opera, Firefox, and others, while also scanning Discord directories for authentication tokens that can bypass password protection. The stolen data is then compressed, encrypted, and exfiltrated back to attacker-controlled infrastructure. The report emphasizes that organizations should strengthen email filtering systems, restrict script execution, and closely monitor PowerShell activity and process injection behaviors, while also leveraging provided indicators of compromise for detection and response.
What Undercode Say:
The PureLogs campaign is a textbook example of how modern infostealers have evolved beyond simple payload delivery into fully modular, fileless ecosystems. Each stage of the infection chain is deliberately designed to minimize forensic visibility while maximizing execution reliability inside trusted Windows components. The use of purchase order phishing emails highlights the continued effectiveness of business-themed social engineering, especially in environments where invoice workflows are routine and often automated. Attackers exploit this operational familiarity to bypass user skepticism, making the initial execution vector highly efficient.
The transition from JavaScript to PowerShell reflects a broader trend in living-off-the-land attacks, where adversaries rely on native system tools rather than dropping traditional executables. By leveraging PowerShell with execution policy bypass and hidden windows, the malware avoids many endpoint detection mechanisms that rely on file-based signatures. The encoding and encryption layers, including Base64 and XOR rotation, further complicate static analysis and slow down incident response teams.
The injection of .NET modules directly into memory represents a shift toward fully fileless malware design. This approach eliminates disk artifacts, reducing the chances of detection by traditional antivirus solutions. Process hollowing into MsBuild.exe is particularly concerning because it abuses a trusted Microsoft binary that is rarely blocked in enterprise environments. This technique allows attackers to operate under the radar of behavior-based detection systems unless strict process monitoring is in place.
The use of DES encryption and in-memory decompression shows that attackers are balancing complexity with operational efficiency. While DES is not modern by cryptographic standards, its use here is sufficient to obfuscate payloads from casual inspection tools. The communication with command-and-control infrastructure to fetch plugin modules indicates a modular malware architecture, meaning the initial infection is only a loader for more specialized capabilities that can be updated dynamically.
PureLogs itself is especially dangerous due to its broad data collection scope. By targeting browsers, communication apps like Discord, VPN clients, and cryptocurrency wallets, it maximizes monetization opportunities for attackers. The inclusion of session tokens and cookies is particularly severe because it allows session hijacking without needing passwords, effectively bypassing multi-factor authentication in some scenarios.
From a defensive standpoint, this campaign reinforces the importance of monitoring PowerShell execution patterns, restricting script environments, and implementing application allowlisting. Behavioral detection becomes critical because static signatures are ineffective against fileless and in-memory execution chains. Network monitoring for unusual C2 traffic patterns also plays a key role in early detection.
Ultimately, this attack reflects the ongoing industrialization of infostealer operations, where malware-as-a-service ecosystems continue to refine delivery, evasion, and data exfiltration techniques. Organizations that fail to adapt to behavior-based detection models will remain highly exposed to these evolving threats.
Fact Checker Results
✅ FortiGuard Labs analysis confirms multi-stage JavaScript to PowerShell infection chain
⚠️ Claims about encryption methods and process hollowing are technically plausible but depend on sandbox observation context
❌ No independent verification of campaign scale or victim count provided in the report
Prediction
This type of fileless infostealer campaign will likely expand further into automated phishing kits and AI-generated business email lures. Future variants are expected to reduce PowerShell visibility even further by integrating direct memory execution and kernel-level evasion techniques. Defensive tools will increasingly rely on behavioral AI detection to keep pace with these rapidly evolving modular malware frameworks.
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
