Close Menu
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
What's Hot

Solo Home Miner Wins $200,000 With a $150 Mining Device

July 13, 2026

Singapore Police, Crypto Exchanges Prevent $4.2M in Scam Losses, Coinbase Helps Reach 145+ Victims

July 13, 2026

Metaplanet explores bringing bitcoin-backed digital credit to Japan

July 13, 2026
Facebook X (Twitter) Instagram
Recession Profit AlertsRecession Profit Alerts
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
Recession Profit AlertsRecession Profit Alerts
Home»Security»PureLogs Variant Steals Data via Purchase Order Lures
PureLogs Variant Steals Data via Purchase Order Lures
Security

PureLogs Variant Steals Data via Purchase Order Lures

May 27, 2026No Comments3 Mins Read

A variant of the PureLogs infostealer malware has been distributed through purchase-order-themed phishing emails that use a malicious JavaScript file to launch a multi-stage infection chain on Windows systems.

According to new analysis from FortiGuard Labs, the campaign uses a fake purchase order message with an attached RAR archive.

The archive contains a malicious JavaScript file used to begin the execution chain.

JavaScript and PowerShell Execution

The phishing email tells the recipient to open the archive to view the supposed purchase order.

FortiGuard Labs said the email was marked “virus detected” in the subject field and blocked by FortiMail, preventing delivery in the analyzed case.

In a lab environment, FortiGuard Labs observed that, once executed, the JavaScript file decrypted PowerShell code and wrote it to a randomly named .ps1 file in the C:\Temp folder.

The script was then run through PowerShell.exe with execution policy bypassed, no profile loaded and the window hidden.

Read more on PowerShell-based malware: Fake Gemini and Claude Code Sites Spread Infostealers Through SEO Poisoning

The dropped PowerShell file contained Base64-encoded and encrypted data. FortiGuard Labs said it decoded the content, decrypted it with an XOR-with-rotation method and executed the result as a fileless PowerShell script.

That script extracted two .NET modules in memory and used process hollowing to run the payload inside MsBuild.exe, a legitimate Windows process, rather than launching the malware as a standalone executable.

PureLogs Targets Credentials and Wallets

The injected .NET module loaded a downloader component from an embedded resource, decrypted it using the Data Encryption Standard (DES) and decompressed it in memory. The downloader then contacted a command-and-control (C2) server and requested a plugin module.

See also  The Meltdown Of The Old Order Foretells A New Crisis

FortiGuard Labs identified the downloaded plugin as a fileless PureLogs variant. The module is designed to collect sensitive data from infected systems before compressing, encrypting and sending it back to the C2 server.

Collected data includes:

  • System details and screenshots

  • Clipboard contents

  • Browser credentials, cookies and session tokens

  • Discord authentication data

  • Cryptocurrency wallet files and keys

  • Credentials from applications, including Outlook, FileZilla, OpenVPN and ProtonVPN

The PureLogs module targeted a wide range of browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Yandex Browser, Mozilla Firefox, Waterfox and LibreWolf. It also scanned Discord directories for tokens that could allow account access without the victim’s password.

The report advised organizations to enforce email filtering, restrict unnecessary script execution and monitor for anomalous PowerShell activity and process hollowing. FortiGuard Labs also published indicators of compromise (IoCs) and detection details for the campaign.

Source link

Data lures Order Purchase PureLogs Steals Variant

Related Posts

Singapore Police, Crypto Exchanges Prevent $4.2M in Scam Losses, Coinbase Helps Reach 145+ Victims

July 13, 2026

Hedera Confirms Bonzo Lend Exploit Not a Network Issue, Mainnet Remains Stable

July 12, 2026

Hong Kong Clearing exposes fake crypto wallet scam using cash rewards

July 12, 2026

Suspected Hedera exploit sends over $5.8M to Ethereum as HBAR slips

July 12, 2026
Top Posts

FLOKI Price Prediction: Q3 Window Is Open — But the August Rally Depends on One Thing

July 5, 2026

LDO Price Prediction: $0.44 Target by June as Staking Momentum Builds

May 7, 2026

Fool Me Once? Shame On You. Fool Me 39 Times…?

June 12, 2026

Type above and press Enter to search. Press Esc to cancel.