Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
FortiGuard Labs, Tuesday, May 26th, 2026
FortiGuard Labs identified a phishing campaign using obfuscated JavaScript and PowerShell to deploy PureLogs malware and steal sensitive data.
FortiGuard Labs discovered a phishing campaign distributing a PureLogs variant that uses deceptive purchase-order-themed emails with malicious RAR attachments to compromise Windows systems.
The attack chain involves obfuscated JavaScript that decrypts and executes PowerShell code, which then uses process hollowing to inject .NET modules into MsBuild.exe. The deployed downloader module communicates with a C2 server to retrieve additional plugin modules, enabling attackers to collect sensitive data from infected devices.
The campaign demonstrates sophisticated multi-stage evasion techniques including fileless execution, encryption, and memory-based code injection.