Cybercriminal operations continue to evolve beyond traditional phishing tactics, leveraging sophisticated multi-stage infection chains that combine social engineering, obfuscated scripting, fileless malware execution, and advanced process injection techniques. One of the latest examples of this evolution is a phishing campaign analyzed by FortiGuard Labs that deploys a JavaScript-driven variant of the PureLogs information stealer. The campaign demonstrates how threat actors are increasingly abusing trusted Windows components, memory-resident execution, and layered encryption mechanisms to bypass conventional security controls.

Unlike commodity phishing attacks that rely on simple executable payloads, this campaign employs a carefully orchestrated sequence of malicious operations. Beginning with a deceptive purchase-order email, the attack progresses through JavaScript execution, PowerShell decryption, process hollowing, and remote payload retrieval before ultimately deploying credential-stealing malware capable of harvesting sensitive user and enterprise data. The campaign highlights the growing sophistication of modern malware ecosystems and reinforces the need for behavior-based detection strategies rather than sole reliance on signature-based defenses.

Attack Overview and Initial Access Vector

The infection chain begins with a phishing email crafted to resemble a legitimate business communication. Attackers use purchase-order-themed lures, a technique that remains highly effective because procurement documents are routinely exchanged across organizations. The email contains a compressed archive attachment designed to entice recipients into opening the file under the assumption that it contains a legitimate business document.

Once extracted, the archive reveals an obfuscated JavaScript file. This approach allows attackers to avoid immediate detection because JavaScript files often appear less suspicious than traditional executable malware. Additionally, many endpoint environments still permit script execution without enforcing strict application control policies.

The social engineering aspect of the campaign is particularly noteworthy. Instead of relying on urgency alone, the attackers leverage established business workflows, increasing the likelihood of user interaction. This demonstrates how modern phishing campaigns increasingly blend technical sophistication with psychological manipulation to maximize infection rates.

Obfuscated JavaScript as the Primary Loader

The malicious JavaScript file serves as the first-stage loader within the attack chain. Its primary responsibility is not data theft but rather the preparation and execution of subsequent payloads.

Threat actors heavily obfuscate the JavaScript code to hinder static analysis and evade detection mechanisms. Obfuscation techniques commonly include variable renaming, encoded strings, fragmented execution paths, and dynamically generated code structures. Once executed, the script decrypts embedded PowerShell content and writes it into a randomly generated PowerShell script file within the local system environment.

This approach provides multiple advantages to attackers. First, it delays exposure of the actual malicious functionality until runtime. Second, it complicates automated sandbox analysis. Third, it enables rapid modification of the delivery chain without altering the overall attack architecture.

The increasing use of JavaScript as a malware delivery mechanism reflects a broader trend in cybercrime operations. JavaScript-based loaders are lightweight, flexible, and capable of delivering highly customized payloads while maintaining a relatively small initial footprint on victim systems.

PowerShell Decryption and Fileless Malware Execution

After the JavaScript stage completes execution, the campaign transitions into PowerShell-based operations. The PowerShell script contains encrypted content that is decoded and executed directly in memory. Fileless execution remains one of the most significant challenges facing modern security teams. Traditional antivirus solutions typically focus on identifying malicious files stored on disk. By executing code directly from memory, attackers reduce forensic artifacts and minimize opportunities for detection.

The PowerShell component performs multiple critical functions:

• Decrypting embedded payloads.
• Loading .NET assemblies directly into memory.
• Preparing process injection routines.
• Establishing execution contexts for subsequent malware stages.

The use of PowerShell is particularly effective because it is a trusted administrative tool natively integrated into Windows environments. Threat actors continue to abuse PowerShell due to its extensive system access capabilities and its ability to execute complex scripts without requiring additional binaries.

This campaign illustrates how PowerShell has evolved from a system administration utility into one of the most frequently abused components in advanced phishing operations.

Process Hollowing and Trusted Process Abuse

One of the most technically advanced stages of the attack involves process hollowing. Process hollowing is a defense evasion technique in which attackers create a legitimate process in a suspended state, remove its original memory image, and replace it with malicious code before resuming execution. In this campaign, attackers target Microsoft’s legitimate MsBuild.exe process. By injecting malicious code into a trusted Windows process, attackers significantly reduce the likelihood of detection by endpoint security solutions.

The process hollowing workflow includes:

1. Creating a suspended MsBuild.exe process.
2. Unmapping the legitimate executable image.
3. Allocating memory within the target process.
4. Writing malicious payloads into the allocated memory.
5. Modifying thread execution contexts.
6. Resuming execution of the compromised process.

This technique effectively disguises malware activity behind a legitimate system process. Security monitoring platforms that rely primarily on process reputation may fail to identify the malicious activity because the executing process appears to be a trusted Microsoft binary.

The campaign utilizes several low-level Windows APIs, including CreateProcessA, VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread, all of which are commonly observed in sophisticated malware families employing advanced injection methods.

PureLogs Payload Delivery and Data Theft Capabilities

Once process hollowing is successfully completed, the injected .NET downloader establishes communication with a command-and-control infrastructure. This downloader retrieves additional plugin modules, including the PureLogs information stealer.

PureLogs is designed to harvest a broad range of sensitive information from compromised systems. Its capabilities include credential theft, browser data extraction, session token collection, cryptocurrency wallet targeting, and theft of stored authentication information.

The modular design enables attackers to dynamically update functionality after initial compromise. Rather than embedding all capabilities into a single executable, operators can selectively deploy plugins based on victim profiles and campaign objectives.

This architecture offers several operational advantages:

• Reduced initial payload size.
• Greater flexibility in post-compromise operations.
• Easier evasion of malware signature detection.
• Ability to introduce new functionality without reinfection.

The modular malware model increasingly dominates modern cybercrime campaigns because it enables threat actors to scale operations while maintaining adaptability against evolving defensive measures.

Defensive Strategies for Security Teams

• Deploy advanced email filtering and attachment sandboxing.
• Restrict execution of untrusted JavaScript and scripting engines.
• Monitor PowerShell activity using enhanced logging and transcription features.
• Detect process hollowing through behavioral analytics and EDR solutions.
• Implement application control policies to restrict unauthorized script execution.
• Continuously monitor outbound network communications for anomalous command-and-control activity.
• Enforce least-privilege access models to limit attacker movement after compromise.
• Conduct regular employee awareness training focused on business-themed phishing attacks.

Security teams should prioritize behavior-based detections capable of identifying suspicious process relationships, memory injections, and script execution chains rather than relying solely on malware signatures.

Our Opinion on This Campaign

The PureLogs campaign represents a clear example of how modern cybercriminal groups are adopting techniques historically associated with advanced persistent threat (APT) operations. What makes this campaign particularly concerning is not the individual techniques themselves—JavaScript loaders, PowerShell abuse, process hollowing, and credential theft have all been observed before—but the seamless integration of these techniques into a highly efficient and scalable attack chain.

From a defensive perspective, this campaign highlights a significant gap that still exists within many organizations. Security investments often focus heavily on perimeter protection, while attackers increasingly operate through trusted system components that appear legitimate at first glance. The abuse of MsBuild.exe and PowerShell demonstrates how attackers can weaponize native operating system functionality to remain hidden in plain sight.

We believe campaigns like this signal the future direction of large-scale phishing operations. Threat actors are investing more effort into stealth, modularity, and behavioral evasion rather than relying on traditional malware deployment methods. As a result, organizations should shift their security strategies toward continuous monitoring, endpoint telemetry analysis, and threat hunting capabilities.

Ultimately, preventing attacks of this nature requires a combination of user awareness, behavioral detection, robust endpoint security, and proactive threat intelligence integration. Organizations that continue relying solely on signature-based defenses will likely face increasing challenges as malware delivery chains become more adaptive and sophisticated.