Fake Purchase Orders Distribute Fileless PureLogs Malware via RAR Archives
PureLogs Malware Spreads via Evasive Campaign
FortiGuard Labs has uncovered a sophisticated cyberattack campaign targeting Windows users.
The Attack Begins with Phishing Emails
The attackers use fake purchase order emails to trick victims into deploying the fileless PureLogs malware.
Malware Steals Sensitive Data
This malware steals sensitive data, including browser credentials, cryptocurrency wallets, and Discord authentication tokens.
The Attack Process
The attack begins with a phishing email containing a malicious archive named “PO 2026-P0803.rar.” When opened, the archive executes a hidden script called “kpankocrs.js,” which drops a randomly named PowerShell file into the “C:\Temp” folder.
According to FortiGuard Labs, the script uses the Windows script engine to bypass system restrictions and execute PowerShell.exe.
Malware Employes Process Hollowing
The malware employs process hollowing to evade detection. It hijacks a legitimate Windows process, replacing its safe code with malicious code.
Malware Steals Browser Credentials and Cryptocurrency Wallets
The malware steals saved login credentials, history, and cookies from various browsers, including Chrome, Firefox, Brave, Vivaldi, and Microsoft Edge.
Malware Targets Discord Authentication Tokens
The malware also targets cryptocurrency wallet files, private keys, and transaction histories from popular wallets, and Discord authentication tokens and account passwords from various apps.
Final Job of the Malware
The malware bundles the stolen data with a desktop JPEG screenshot, system information, clipboard data, and the username. The malware then serializes the data packet, compresses it with GZip, and encrypts it using an AES key.
Takedown by FortiMail Security Filters
Fortunately, FortiMail security filters caught the phishing emails and prevented the malicious files from reaching users’ inboxes.
Mitigation Strategies
To mitigate risks against this evasive campaign, organizations should enforce strict filtering, disable unnecessary script execution, and actively monitor for anomalous PowerShell activity and process hollowing.
Expert Insights
Several cybersecurity experts shared their insights on the multi-layered nature of this campaign and the challenges it poses to modern defense strategies.
Jason Soroko, Senior Fellow at Sectigo
Successful use of process hollowing to inject a .NET executable.
Kern Smith, Senior Vice President of Global Solutions Engineering at Zimperium
Importance of looking beyond traditional endpoint visibility and ensuring that security teams can identify suspicious activity early.
Maxime Cartier, Vice President of Human Risk at Hoxhunt
Fixing these gaps requires changing how security risks are handled internally. Addressing the human element is crucial in preventing these types of attacks.