Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
FortiGuard Labs, Monday, June 1st, 2026
A phishing campaign uses obfuscated JavaScript and process hollowing to deploy PureLogs malware and steal sensitive data.
FortiGuard Labs identified a phishing campaign distributing a PureLogs variant through deceptive emails disguised as purchase orders containing malicious RAR archives.
The attack chain involves an obfuscated JavaScript file that decrypts and executes PowerShell code, which then uses process hollowing to inject .NET modules into MsBuild.exe.
The deployed downloader module communicates with a C2 server to retrieve additional plugin modules, using AES encryption and GZIP compression to maintain stealth. The campaign targets Windows users and can extract sensitive data from compromised systems.