Fake Purchase Order Emails Spread Fileless PureLogs Malware via RAR Archives

Summary

A new email campaign is targeting Windows users with PureLogs malware, which steals browser, crypto, and Discord data. The attack uses fake purchase order emails with a malicious RAR archive, leveraging process hollowing to avoid detection and execute the fileless malware.

Full text

Security Malware Phishing Scam Scams and FraudFake Purchase Order Emails Spread Fileless PureLogs Malware via RAR Archives Hackers are using fake purchase order emails and process hollowing to deploy fileless PureLogs malware to steal Windows users’ browser, crypto, and Discord data. byDeeba AhmedJune 1, 20264 minute read FortiGuard Labs has disclosed its findings about a new email campaign targeting Windows users with a malicious data-stealing program called PureLogs. According to their research, the attack begins with fake purchase order emails that trick targets into opening a malicious archive named “PO 2026-P0803.rar” as an initial trap. After this, a hidden script called “kpankocrs.js” runs automatically and drops a randomly named file like "ps_qnSEGUkU0LIY_1777592585573.ps1” into the "C:\Temp" folder. It uses the Windows script engine (wscript.exe) to trigger PowerShell.exe and bypass system restrictions. Process hollowing helps hackers avoid detection. In this technique, a genuine program is hijacked to hide the malware, which, in this case, is a legitimate Windows process at "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe.” Its safe code is replaced with a malicious downloader module. Researchers further noted that this hijack relies on specific system commands to trick the computer. The malware calls CreateProcessA() to open the safe program in a frozen state, uses ZwUnmapViewOfSection() to empty its memory, plants the malicious code with WriteProcessMemory(), and triggers ResumeThread() to force the computer to run the hidden threat. Extracting the Downloader Once active inside MsBuild.exe, the malware extracts an inner module named “Iwnflr.exe” to initiate the next phase. This file loads the “Eqxcpvgf.Ybrgdoxas” resource via ResourceManager.GetObject(). It then decrypts it using the DES algorithm and decompresses it with Gunzip to assemble a downloader called “Rmiyj.dll”. This downloader’s task is to establish a connection to a remote C2 server at 77.83.39.211 via port 8443 to send web requests. That’s when the final payload is retrieved. It sends an initial HTTP GET request to the “/ping” endpoint to confirm the server is active, followed by an HTTP POST request to the “/plugin” endpoint to download a fileless PureLogs variant named “zgSGkYYzqVe.dll”. Because of the plugin’s in-memory execution, no traces are left on the physical hard drive. Large-scale Data Theft The malware now starts extracting sensitive data, targeting a broad range of browsers, cryptocurrency wallets, and apps. It steals saved login credentials, history, and cookies from Chrome, Firefox, Brave, Vivaldi, and Microsoft Edge, targets crypto wallet files, private keys, and transaction histories from Bitcoin Core, Dogecoin Core, Litecoin Core, Exodus, and Atomic Wallet. Additionally, the malware grabs Discord authentication tokens and account passwords from Outlook, FileZilla, ProtonVPN, and OpenVPN. However, its final job is to bundle the data with a desktop JPEG screenshot, system information, clipboard data, and the username, serialise the data packet, compress it with GZip, and encrypt it using an AES key. Now, the encrypted bundle is transmitted to the hackers’ server via HTTP POST requests to the /browser and /discord endpoints. The good aspect is that FortiMail security filters caught these phishing emails and marked the subject line as “virus detected” so that the malicious files couldn’t reach users’ inboxes. Attack Flow (Source: Fortinet) To mitigate risks against this evasive campaign, researchers note that organisations should enforce strict email filtering, disable unnecessary script execution, and actively monitor for anomalous PowerShell activity and process hollowing. Experts’ Perspectives Several cybersecurity leaders shared their insights with Hackread.com regarding the multi-layered nature of this campaign and the challenges it poses to modern defence strategies. Jason Soroko, Senior Fellow at Sectigo, pointed out that the campaign demonstrates how threat actors are successfully hiding within normal business activities and system management tools. Soroko noted: “The campaign relies on process hollowing to inject a .NET downloader into the trusted Windows MSBuild executable, masking it within a heavily used framework component and complicating detection. Once embedded, the downloader contacts a remote command server to retrieve modular plugins, giving the attacker dynamic post-compromise control. Layered encryption combined with legitimate system processes shows a sophisticated approach to data theft that demands equally adaptive, behavior-focused defenses.” While the execution phase happens on desktop environments, Kern Smith, Senior Vice President of Global Solutions Engineering at Zimperium, warned that security teams must look at the bigger picture across all user devices. Smith stated: “What makes these attacks effective is not just the malware itself, but the ability to move users from initial engagement to compromise while avoiding detection across devices and environments. Organizations should think beyond traditional endpoint visibility and ensure they can identify suspicious activity early, correlate signals across mobile devices, applications, and endpoints, and rapidly determine whether an alert represents a real incident.” “As attack paths become more distributed and AI accelerates attacker execution, security teams need AI-empowered security capabilities that reduce investigation time and provide clearer paths from signal to response.” Since the attack chain depends entirely on someone opening a fake purchase order attachment, the human element remains the primary barrier. Maxime Cartier, Vice President of Human Risk at Hoxhunt, explained that fixing these gaps requires changing how security risks are handled internally: “Historically, risky behavior and the human element have been linked to up to 90% of breaches, mainly via social engineering and phishing. However, when you look meticulously at recent research, many of the risks and barriers are behavioral, not technical. This creates a significant opportunity for security awareness and Human Risk Management teams to collaborate more closely with vulnerability management teams. We spend a lot of time thinking about how to influence secure behavior at scale. Those same principles apply directly to improving remediation outcomes across the organisation.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityFilelessFraudMalwarePureLogsScamWindows Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Scams and Fraud Hackers Use Signal QR Codes to Spy on Military and Political Leaders Hackers are using Signal QR codes and fake support scams to spy on military and political leaders, German security agencies warn. byDeeba Ahmed Malware Security Mac malware from Iran targeting US defense industry, human rights activist There was a time when users believed that Mac machines are safe to be used since Apple’s security… byUzair Amir Read More Security Cyber Attacks Data Breaches News Iranian State Hackers Partner Up for Large-Scale Attacks, Report Check Point researchers have detailed a new Iranian state-sponsored hacker group called Void Manticore, partnering with Scarred Manticore, another threat group based in Iran's Ministry of Intelligence and Security. byDeeba Ahmed Security Leaks Privacy 201 million US demographic, personal records leaked online Another day, another data breach - This time, 201 million records have been leaked online. byWaqas

Indicators of Compromise

• domain — 77.83.39.211

Entities