Back

New Phishing Campaign Distributes PureLogs Malware via Purchase Orders

Severity: High (Score: 66.0)

Sources: Infosecurity-Magazine, www.fortinet.com

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: purelogs, phishing, javascript, variant, data, windows, campaign

Severity indicators: sensitive data

Summary

A phishing campaign has been identified distributing a variant of PureLogs malware through deceptive purchase-order-themed emails. The campaign targets Windows users and employs an obfuscated JavaScript file to initiate a multi-stage infection chain. The phishing email, marked as 'virus detected' in the subject line, instructs recipients to open a malicious RAR archive containing the JavaScript file. Once executed, the JavaScript decrypts PowerShell code and writes it to a randomly named .ps1 file in the C:\Temp directory. This PowerShell script executes fileless malware that collects sensitive data, including browser credentials and cryptocurrency wallet information. The campaign has been confirmed by FortiGuard Labs, which advises organizations to implement email filtering and monitor for unusual PowerShell activity. The severity of the threat is rated high due to its potential impact on sensitive data theft. Key Points: • Phishing emails disguise malware as purchase orders to trick users. • Malicious JavaScript initiates a multi-stage infection chain on Windows systems. • The PureLogs malware variant targets sensitive data from various applications and browsers.

Detailed Analysis

**Impact** Windows users are targeted by this phishing campaign using purchase-order-themed emails to distribute a PureLogs variant. The malware collects sensitive data including system details, screenshots, browser credentials, cookies, session tokens, Discord authentication data, cryptocurrency wallet files, and credentials from applications like Outlook and ProtonVPN. The campaign affects multiple browsers and applications, potentially impacting organizations across sectors that rely on Windows environments. No specific geographic or sectoral scope was provided. **Technical Details** The attack begins with a phishing email containing a RAR archive with an obfuscated JavaScript file. Execution of the JavaScript decrypts and runs a PowerShell script with execution policy bypassed, which uses fileless techniques and process hollowing to inject .NET modules into MsBuild.exe. The injected downloader module decrypts and decompresses a PureLogs variant that communicates with a C2 server to retrieve plugins for data exfiltration. Indicators of compromise include the malicious JavaScript file (kpankocrs.js), randomly named PowerShell scripts in C:\Temp, and the use of process hollowing APIs. No CVEs or infrastructure details were specified. **Recommended Response** Enforce strict email filtering to block phishing emails, especially those with suspicious attachments or subject lines marked “virus detected.” Restrict or monitor PowerShell script execution and disable unnecessary scripting engines like wscript.exe where possible. Deploy detections for process hollowing behavior and anomalous MsBuild.exe activity. Utilize published IoCs from FortiGuard Labs to block known malicious files and C2 communications. Monitor for unusual data exfiltration patterns and credential theft indicators.

Source articles (2)

  • PureLogs Variant Steals Data via Purchase Order Lures — Infosecurity-Magazine · 2026-05-27
    A variant of the PureLogs infostealer malware has been distributed through purchase-order-themed phishing emails that use a malicious JavaScript file to launch a multi-stage infection chain on Windows…
  • Phishing Campaign Deploys Javascript Driven Purelogs Variant To Steal Sensitive Data — www.fortinet.com · 2026-05-27
    A new phishing campaign uses obfuscated JavaScript, PowerShell, and process hollowing to deploy PureLogs malware and steal sensitive data Affected Platforms: Microsoft Windows Impacted Users: Windows…

Timeline

  • 2026-05-27 — Phishing campaign identified: FortiGuard Labs reported a new phishing campaign distributing PureLogs malware via deceptive emails.
  • 2026-05-27 — Malicious JavaScript execution observed: The JavaScript file decrypts PowerShell code and executes it from a randomly named .ps1 file.
  • 2026-05-27 — Data collection confirmed: The PureLogs malware variant collects sensitive data including browser credentials and cryptocurrency wallet files.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • 192.168.10.1 (Ipv4)
  • 77.83.39.211 (Ipv4)
  • Purelogs (Malware)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • T1555.003 - Credentials From Web Browsers (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • 360 Browser (Platform)
  • 360 Extreme Browser (Platform)
  • 360 Secure Browser (Platform)
  • 7Star (Platform)
  • AcWebBrowser (Platform)
  • Amigo (Platform)
  • Atom Browser (Platform)
  • Avast Secure Browser (Platform)
  • AVG Secure Browser (Platform)
  • Baidu Spark Browser (Platform)
  • Basilisk (Platform)
  • BitTube Browser (Platform)
  • BlackHawk (Platform)
  • Blisk (Platform)
  • Brave Browser (Platform)
  • Bromium (Platform)
  • CCleaner Browser (Platform)
  • Cent Browser (Platform)
  • Chedot (Platform)
  • ChromePlus (Platform)
  • Chromium (Platform)
  • Chromodo (Platform)
  • Citrio (Platform)
  • CocCoc Browser (Platform)
  • Comodo Dragon (Platform)
  • Comodo IceDragon (Platform)
  • CoolNovo (Platform)
  • Coowon (Platform)
  • CryptoTab Browser (Platform)
  • Cyberfox (Platform)
  • Elements Browser (Platform)
  • Epic Privacy Browser (Platform)
  • Falkon (Platform)
  • Garena Browser (Platform)
  • Ghost Browser (Platform)
  • Go! Browser (Platform)
  • Insomniac Browser (Platform)
  • Iridium Browser (Platform)
  • ITop Private Browser (Platform)
  • Kinza (Platform)
  • K-Meleon (Platform)
  • Kometa (Platform)
  • Lenovo SLBrowser (Platform)
  • LibreWolf (Platform)
  • Liebao Browser (Platform)
  • Maxthon (Platform)
  • Mercury Browser (Platform)
  • Microsoft Edge (Platform)
  • Microsoft Windows (Platform)
  • Mozilla Firefox (Platform)
  • Flock (Company)
  • Google Chrome (Tool)
  • MSBuild (Tool)
  • PowerShell (Tool)
  • 670384FAFB23140D96F2F8FE04A13FC8CC8E2A6E5E8C973E39B58D103C5FEA92 (Sha256)
  • B90988400CCED319D260C4937F334ECC364785ED5C593CD2139965E62CA58173 (Sha256)
  • E20B35A8C30E076CDD0E1DF05BA1FF2E418DBD39A674F084787CC0AF2FDA9E95 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed