"This campaign demonstrates a sophisticated multi-stage attack chain that begins with a phishing email delivering a malicious JavaScript file. The JavaScript decrypts and executes a PowerShell script that uses process hollowing to inject a .NET downloader module into a trusted Windows process (MsBuild.exe). The downloader module communicates with a remote C2 server to fetch and execute additional plugin modules, allowing the attacker to adapt the malware’s post-compromise behavior." — FortiGuard Labs
FortiGuard Labs lays out a staged, deceptive entry
Research from FortiGuard Labs describes a phishing campaign that starts with emails masquerading as purchase orders and delivers a malicious JavaScript attachment. According to the lab, the JavaScript decrypts and executes a PowerShell script; that PowerShell uses process hollowing to place a .NET downloader inside MsBuild.exe, a trusted Windows process. From there the downloader contacts a remote command-and-control (C2) server to retrieve modular plugins, giving attackers flexible post-compromise options.
Three evasive techniques that frustrate signature-based controls
FortiGuard Labs highlights the specific techniques that make this campaign difficult to detect with conventional, signature-based defenses:
- Several encryption layers that obscure payloads and commands.
- Fileless execution that minimizes artifacts written to disk.
- Process hollowing to implant a .NET downloader into MsBuild.exe and mask malicious behavior inside a legitimate process.
Those three tactics combine to hide the attack at multiple points: initial delivery, in-memory execution, and during post-compromise communications. The result, per the research, is an adaptable malware chain that blends into normal Windows activity.
Security leaders: the attack is technical, social and cross-device
Kern Smith, Senior Vice President of Global Solutions Engineering at Zimperium, framed the campaign as broader than the endpoint: "Attackers increasingly rely on social engineering and multi-stage attack chains that begin wherever users are most active, and increasingly, that starts on mobile devices through email, messaging platforms, and collaboration tools." He urged organizations to look beyond endpoint telemetry and to correlate signals across mobile devices, applications and endpoints, adding that AI-empowered security capabilities can reduce investigation time and clarify response paths.
Jason Soroko, Senior Fellow at Sectigo, emphasized the fileless and evasive nature of the chain. He noted FortiGuard Labs' finding of a "JavaScript-driven phishing campaign, deploying a PureLogs variant," and said attackers are "hiding the payload in an archive disguised as a purchase order, exploiting routine business workflows." Soroko underscored that injecting a downloader into MsBuild.exe and layering encryption complicates detection and enables dynamic post-compromise control.
Maxime Cartier, Vice President of Human Risk at Hoxhunt, shifted the focus to behavior: "Historically, risky behavior and the human element have been linked to up to 90% of breaches" and many barriers to security are "behavioral, not technical." Cartier urged security awareness and Human Risk Management teams to communicate risk in ways that help people act and to collaborate with vulnerability management teams to improve remediation outcomes.
What this means for technologists, developers/admins/IT ops, and human risk teams
- Technologists and security teams: FortiGuard Labs' technical account—JavaScript to PowerShell to in-memory process hollowing—means detection approaches that rely solely on signatures or disk artifacts will miss portions of the chain. Security leaders in the report recommend correlating cross-device signals and adopting behavior-focused detection capabilities.
- Developers, admins and IT operations: The campaign exploits routine business workflows—purchase-order attachments and trusted framework components such as MsBuild.exe—so these groups should expect attackers to continue blending malicious actions with legitimate administrative tools and processes.
- Human Risk Management and vulnerability teams: The research and commentary tie social engineering directly to technical compromise. Hoxhunt's Maxime Cartier calls for clearer communication and joint work between awareness programs and vulnerability management to improve remediation outcomes and reduce the human friction that enables phishing to succeed.
Windows users remain the primary target; enterprises face a tougher detection problem
FortiGuard Labs explicitly names Windows users as the primary target and describes a campaign that leverages everyday business behaviors—opening purchase-order archives—into a sophisticated, multi-stage compromise. The combination of layered encryption, fileless execution, and process hollowing means the campaign is designed to evade conventional signatures and to adapt after initial access via modular plugins fetched from a C2 server.
The security leaders quoted in the research converge on two practical conclusions found in the source: defenders should extend visibility beyond the endpoint to include mobile and collaboration platforms, and teams should strengthen behavioral, cross-signal detection while improving how human-focused programs cooperate with technical remediation efforts. Taken together, those steps respond directly to the chain FortiGuard Labs documented—but the research leaves clear one fact from the source as the campaign’s enduring implication: attackers are refining ways to make a single click on a purchase-order attachment lead to a stealthy, persistent foothold inside trusted Windows processes.




