PureLogs Info Stealer Campaign Exploits Trusted Windows Process

Security researchers recently uncovered an evasive malicious operation hitting enterprise environments. Specifically, FortiGuard Labs identified a highly deceptive PureLogs info stealer campaign spreading through corporate networks. This multi-stage attack exploits institutional trust by sending fake business documents directly to unsuspecting users. To hide its footprint, the delivery pipeline utilizes multiple advanced encryption layers and fileless components. Consequently, traditional signature-based detection mechanisms fail to flag the ongoing intrusion before data theft occurs. Network administrators must enhance their host-monitoring protocols immediately to neutralize this stealthy digital threat.

Anatomy of the Deceptive Phishing Lure

The infection chain begins with targeted social engineering messages sent directly to company personnel. Threat actors carefully disguise these malicious emails as urgent corporate purchase orders. For instance, the message instructs recipients to open a compressed file named PO 2026-P0803.rar to check an invoice. According to the analysis, “This campaign uses deceptive emails disguised as purchase orders, a tactic commonly used to trick recipients into opening malicious attachments.” However, if an organization deploys a robust email filter, the system can block the threat. For example, the automated security service marks the suspect message as a verified hazard in the subject line. Therefore, the security block stops the delivery path entirely before a user interacts with the file.

Multi-Stage Execution and Process Hollowing

If the victim extracts the archive, they find a script component called kpankocrs.js. When executed, this malicious JavaScript file extracts a secondary encrypted shell file. Subsequently, the script launches an active PowerShell process with an execution policy bypass flag to run the code silently. This hidden payload decodes an embedded assembly binary in host memory using an XOR rotation method.

Injecting into MsBuild

Next, the malware utilizes an advanced runtime injection mechanism to establish its foothold. The fileless script uses a custom wrapper block to run process hollowing against a trusted system file. Specifically, the code targets the native utility MsBuild.exe located within the Microsoft .NET Framework folders. The report notes: “The fileless PowerShell code extracts and executes two .NET modules in memory using the process hollowing technique.” Consequently, this technique hides the malicious execution paths from traditional endpoint security scanners.

C2 Communication and Plugin Retrieval

Once inside the hollowed process, a downloader module decrypts an embedded configuration map. This block contains specific server parameters, a unique mutex identifier, and an active AES encryption key. To confirm server availability, the system sends a standard network request to a designated URL endpoint. For instance, the downloader invokes an asynchronous web client to ping the controller IP address.

Fetching the PureLogs Payload

Afterwards, the framework executes an encrypted data request to fetch its primary data harvesting payload. Consequently, this transaction delivers a heavily obfuscated library file directly into system memory. This specific step reinforces the PureLogs info stealer campaign by deploying a fileless variant called zgSGkYYzqVe.dll. This dynamic tool relies on commercial runtime packing software to prevent static analysis by defensive teams.

Extensive Data Harvesting Capabilities

The memory-resident stealer immediately begins collecting a wide range of sensitive data from the host device. First, it takes interactive screenshots and scrapes detailed hardware properties like processor configurations. In addition, the spyware reads local clipboard balances and searches for security software details. Furthermore, it targets dozens of web browsers to extract stored login profiles and active session cookies. For example, the code pulls Edge credentials directly from local user data subfolders.

Target Apps and Wallets

Similarly, the malware interrogates specific system directories to capture authentication tokens from messaging applications. It targets multiple Discord releases to perform unauthorized account takeovers without requiring passwords. Moreover, the agent scans local registry keys to harvest private keys from popular cryptocurrency wallets. Finally, it extracts data from email clients and file transfer applications like FileZilla. The advisory summarizes: “The malware’s primary capability is to collect sensitive data from the victim’s system, including basic hardware and system information, saved credentials, cryptocurrency-related data, and more.”