FortiGuard Labs has published research on an active campaign distributing the PureLogs infostealer through fake purchase order emails, using a multi-stage fileless execution chain built around process hollowing of Microsoft’s legitimate MSBuild.exe. The campaign is specifically engineered to bypass endpoint detection tools and sandbox analysis environments.
Delivery Chain and Execution Mechanics
The attack begins with a deceptive email carrying a RAR archive — the filename follows a purchase order naming convention, such as “PO 2026-P0803.rar” — designed to appear credible to finance and procurement staff who regularly handle vendor correspondence. Inside the archive is a hidden JavaScript file that serves as the first active stage of the infection chain.
JavaScript Stage and VM Detection
Before proceeding with infection, the JavaScript performs virtual machine detection to determine whether it is running in a sandbox or analysis environment. If the checks indicate an analyst’s sandbox, the chain halts — protecting the campaign’s operational security by reducing the likelihood of detection and analysis. When the environment check passes, the JavaScript initiates the remaining stages of the chain, eventually targeting MSBuild.exe.
MSBuild.exe Process Hollowing
The campaign’s core evasion technique involves process hollowing against MSBuild.exe, the legitimate Windows build system binary included with .NET and Visual Studio. Process hollowing works by launching the trusted process in a suspended state, replacing its memory contents with malicious code, and then resuming execution. From the perspective of endpoint tooling that monitors process names and code-signing status, the running process is MSBuild.exe — a known, signed Microsoft binary. The PureLogs payload executes entirely in memory, with no files written to disk, removing the file-based detection surface that traditional antivirus relies upon.
What PureLogs Harvests
Once executing inside MSBuild.exe’s hollowed process space, PureLogs targets credentials and session data across a broad range of applications. FortiGuard Labs documented the stealer hitting browser credentials and cookies from Chrome, Firefox, Brave, and Edge — covering the most widely used browsers in enterprise environments.
Cryptocurrency Wallet and Discord Targeting
Beyond browser credentials, PureLogs targets cryptocurrency wallets including Bitcoin Core, Exodus, and Atomic Wallet. The inclusion of Discord session token harvesting extends the stealer’s reach into communication channels, where stolen session tokens can be used to take over accounts without requiring a password. This combination — browser credentials, financial assets, and communication platform tokens — gives operators a wide monetization surface from a single compromise.
The active command-and-control server identified by FortiGuard Labs was confirmed operational at the time of the research publication, indicating the campaign was live and not a historical artifact. Organizations that have not implemented advanced email security filtering capable of catching RAR-delivered JavaScript payloads remain exposed to the initial delivery vector.
Detection and Defense Considerations
The campaign’s reliance on fileless execution and process hollowing against a trusted Windows binary makes it resistant to conventional file scanning. Defenders monitoring process behavior — specifically MSBuild.exe spawning network connections or being launched outside of development contexts — have a higher probability of detecting the intrusion than those relying on file hash matching alone.
The purchase order lure is targeted at enterprise and commercial environments where finance and procurement teams receive high volumes of supplier documents. User awareness of unexpected RAR archives claiming to contain purchase orders, combined with email gateway controls that inspect archive contents, addresses the delivery stage before the execution chain begins. Blocking outbound connections to unknown IP addresses on non-standard ports provides an additional control layer against the C2 communication stage.
