Phishing Campaign Deploys PureLogs Variant via JavaScript and MsBuild Injection

A new phishing campaign has been identified that distributes a variant of the PureLogs infostealer malware through deceptive purchase-order-themed emails. The campaign utilizes a malicious JavaScript file contained in a RAR archive, which, when executed, decrypts and runs a PowerShell script. This script employs process hollowing to inject a .NET downloader into the legitimate MsBuild.exe process, allowing it to evade detection. The downloader retrieves a PureLogs plugin that collects sensitive data, including browser credentials, cryptocurrency wallet information, and application credentials. The attack primarily targets Windows users and leverages advanced evasion techniques to minimize detection risks. FortiGuard Labs has provided detailed analysis and indicators of compromise (IoCs) for this campaign. Organizations are advised to enhance email filtering, restrict script execution, and monitor for unusual PowerShell activity. The campaign has been confirmed to be active as of May 2026.

Key Points: • The phishing campaign uses purchase-order emails to distribute PureLogs malware. • Malicious JavaScript files execute PowerShell scripts that employ process hollowing. • The PureLogs variant targets sensitive data from various applications and browsers.