PureLogs Variant Steals Data via Purchase Order Lures

Fileless malware has become a preferred weapon for threat actors because it leaves few artifacts on disk, making traditional antivirus solutions less effective. By embedding malicious code in seemingly innocuous purchase‑order emails, attackers exploit the trust businesses place in routine procurement communications. The use of a compressed RAR archive adds an extra layer of obfuscation, allowing the initial JavaScript payload to slip past many gateway filters that focus on executable attachments. This tactic reflects a broader shift toward socially engineered lures that blend business relevance with technical stealth.

The infection chain observed by FortiGuard Labs is notably sophisticated. Once the recipient extracts the archive, the JavaScript decrypts a Base64‑encoded PowerShell script, writes it to a random .ps1 file in C:\Temp, and executes it with policy bypass and a hidden window. The PowerShell stage then decodes and XOR‑rotates encrypted payloads, loading two .NET modules directly into memory. Leveraging process hollowing, the malicious code runs inside MsBuild.exe, a legitimate Windows utility, thereby evading process‑based detection. The final PureLogs module harvests a wide array of data—system screenshots, clipboard contents, browser cookies, Discord authentication tokens, and cryptocurrency wallet files—compresses and encrypts the collection, and exfiltrates it to a command‑and‑control server.

For enterprises, the key takeaway is the necessity of layered defenses. Email security gateways must be tuned to detect anomalous RAR attachments and purchase‑order language patterns, while endpoint protection should monitor for PowerShell executions that use execution‑policy bypass or spawn hidden windows. Process‑behavior analytics can flag unexpected use of MsBuild.exe for code injection. Additionally, organizations should enforce least‑privilege scripting policies and regularly audit credential stores, especially those tied to cryptocurrency wallets. Proactive threat‑intel sharing of Indicators of Compromise (IoCs) further strengthens collective resilience against evolving infostealer campaigns.