Skip to main content
Emerging ThreatsMalware & Ransomware

PureLogs Infostealer Exploits Purchase Order Phishing Lures

Office worker's desk with laptop, purchase order, and suspicious files.

“The phishing email was marked 'virus detected' in the subject field and blocked by FortiMail,” FortiGuard Labs reported — an indication that a familiar lure and a simple archive can still carry a sophisticated, fileless infostealer that exfiltrates credentials and cryptocurrency keys.

Delivery: purchase-order lures and a RAR attachment

FortiGuard Labs analysed a campaign that delivers a PureLogs variant using a purchase-order-themed phishing e‑mail. The message instructs recipients to open an attached RAR archive to view a supposed purchase order. Inside that archive sits a malicious JavaScript file that begins a multi-stage infection chain when executed.

In the specific sample the researchers examined, the email’s subject line contained the text “virus detected” and FortiMail prevented delivery. FortiGuard Labs published indicators of compromise (IoCs) and detection details for the campaign.

Execution chain: JavaScript, PowerShell, memory-only .NET modules and process hollowing

FortiGuard Labs observed the following sequence in a laboratory analysis. The malicious JavaScript decrypts PowerShell code and writes it to a randomly named .ps1 file in C:\Temp. That PowerShell script is run via PowerShell.exe with execution policy bypassed, no profile loaded and the window hidden.

The dropped .ps1 contained Base64‑encoded and encrypted content. FortiGuard Labs decoded that content, decrypted it using an XOR-with-rotation method, and executed the result as a fileless PowerShell script. That memory-resident script then extracted two .NET modules into memory and used process hollowing to run the payload inside MsBuild.exe — a legitimate Windows process — instead of launching a standalone executable.

PureLogs capabilities: what the module collects and how it communicates

FortiGuard Labs identified the downloaded plugin as a fileless PureLogs variant. The injected .NET module loaded a downloader component from an embedded resource, decrypted it with the Data Encryption Standard (DES) and decompressed it in memory. The downloader contacted a command-and-control (C2) server and requested a plugin module, which was returned and executed in memory.

FortiGuard Labs says the PureLogs module is designed to collect a broad set of sensitive material, compress and encrypt it, then send it to the C2 server. Items listed in the report include:

  • System details and screenshots
  • Clipboard contents
  • Browser credentials, cookies and session tokens
  • Discord authentication data and token files that can allow account access without a password
  • Cryptocurrency wallet files and keys
  • Credentials from applications including Outlook, FileZilla, OpenVPN and ProtonVPN

The module targets a wide range of browsers: Google Chrome, Microsoft Edge, Brave, Opera, Yandex Browser, Mozilla Firefox, Waterfox and LibreWolf, according to FortiGuard Labs.

Mitigations FortiGuard Labs recommends

FortiGuard Labs advised several defensive measures based on its analysis. Primary recommendations include enforcing email filtering to block malicious delivery, restricting unnecessary script execution (JavaScript and PowerShell), and monitoring for anomalous PowerShell activity and signs of process hollowing. The researchers also published IoCs and detection details to support detection and response.

What this means for security teams, procurement leaders, and end users

Security teams should watch for the specific behaviours FortiGuard Labs observed: archives containing JavaScript, PowerShell scripts written to temporary folders, Base64 and XOR-with-rotation decoding activity, in-memory .NET module extraction, DES-decrypted downloader code, and process hollowing into MsBuild.exe. FortiGuard’s publication of IoCs and detection guidance is intended to help defenders map those signals to existing controls.

Procurement and accounts-payable teams — the groups most likely to receive genuine purchase orders — should expect adversaries to continue using purchase-order themes. Blocking or flagging archives that contain scripts, and ensuring that email gateways apply strong filtering, are concrete steps highlighted by the report.

End users benefit from the simple, practical point FortiGuard made visible in this case: the sample was stopped by FortiMail in the analyzed incident, underscoring that layered e-mail defenses and controls on script execution can disrupt even memory-only, multi-stage attacks.

FortiGuard Labs’ analysis shows an attack chain that blends a mundane social-engineering lure with a sophisticated, fileless execution model designed to evade disk-based detection while harvesting high-value data — from session tokens to cryptocurrency keys. The researchers’ IoCs and detection details give defenders tangible signals to look for; whether organizations adopt them will determine how many of these lures result in credential and wallet theft.

Source: FortiGuard Labs analysis, reported by Infosecurity Magazine