Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
A phishing campaign distributes a PureLogs malware variant via deceptive purchase order emails containing malicious JavaScript. The malware uses obfuscated JavaScript to drop PowerShell scripts that employ process hollowing to inject . NET modules into legitimate Windows processes. PureLogs collects sensitive data including credentials from browsers, cryptocurrency wallets, email clients, Discord, and other applications, as well as screenshots, system information, and clipboard contents. Data is compressed, AES-encrypted, and exfiltrated to remote servers. The campaign uses advanced evasion techniques such as fileless execution, multiple encryption layers, and abuse of trusted processes like MsBuild. exe, complicating detection by traditional security tools.
AI Analysis
Technical Summary
This threat involves a sophisticated phishing campaign that delivers a PureLogs malware variant through malicious JavaScript embedded in purchase order emails. The JavaScript is obfuscated and drops PowerShell scripts that perform process hollowing to inject .NET modules into legitimate Windows processes, such as MsBuild.exe. The malware communicates with command-and-control servers to download additional plugins. PureLogs harvests a wide range of sensitive information, including credentials from web browsers, cryptocurrency wallets, email clients, Discord, and other applications, along with screenshots, system data, and clipboard contents. Collected data is compressed and encrypted using AES before exfiltration. The campaign leverages fileless execution and multiple encryption layers to evade detection by conventional security solutions.
Potential Impact
The malware compromises confidentiality by stealing extensive sensitive information including user credentials, cryptocurrency wallet data, email and messaging client data, screenshots, system details, and clipboard contents. This data theft can lead to identity theft, financial loss, unauthorized access to accounts, and further compromise of affected systems. The use of advanced evasion techniques reduces the likelihood of detection and mitigation by traditional endpoint security tools, increasing the risk of prolonged undetected presence.
Mitigation Recommendations
No official patch or vendor advisory is provided for this malware variant. Mitigation should focus on user awareness to recognize and avoid phishing emails, especially those containing unexpected purchase orders or JavaScript attachments. Endpoint detection and response solutions should be updated to detect behaviors such as process hollowing, PowerShell script execution from email attachments, and abuse of trusted processes like MsBuild.exe. Network monitoring for known command-and-control IP addresses and URLs (e.g., 77.83.39.211 on port 8443) can help identify and block exfiltration attempts. Since this is a malware campaign rather than a software vulnerability, remediation involves detection and removal rather than patching. Patch status is not yet confirmed — check vendor advisories for updates.
Indicators of Compromise
- ip: 77.83.39.211
- hash: 3d510977d60a44322f88100b515f06cb5ed83babc64247068d1a489595faa6c5
- hash: 07cd03e2082bcb0b890cc59ce4c770d1a095ac6f1ae9cf999f5542555c56f841
- hash: 6af99d08e9295db93ad869af5ec1422e
- hash: e2470b4bb66131ac43a0e7d30bb30ede
- hash: 4f2c2a808194d27992ef227c4b9134de01d051fc
- hash: cda7136e67b34757ef2688f1e168fc927f025625
- hash: 670384fafb23140d96f2f8fe04a13fc8cc8e2a6e5e8c973e39b58d103c5fea92
- hash: b90988400cced319d260c4937f334ecc364785ed5c593cd2139965e62ca58173
- hash: e20b35a8c30e076cdd0e1df05ba1ff2e418dbd39a674f084787cc0af2fda9e95
- url: https://77.83.39.211:8443/application
- url: https://77.83.39.211:8443/filesearch/req
Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
Description
A phishing campaign distributes a PureLogs malware variant via deceptive purchase order emails containing malicious JavaScript. The malware uses obfuscated JavaScript to drop PowerShell scripts that employ process hollowing to inject . NET modules into legitimate Windows processes. PureLogs collects sensitive data including credentials from browsers, cryptocurrency wallets, email clients, Discord, and other applications, as well as screenshots, system information, and clipboard contents. Data is compressed, AES-encrypted, and exfiltrated to remote servers. The campaign uses advanced evasion techniques such as fileless execution, multiple encryption layers, and abuse of trusted processes like MsBuild. exe, complicating detection by traditional security tools.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a sophisticated phishing campaign that delivers a PureLogs malware variant through malicious JavaScript embedded in purchase order emails. The JavaScript is obfuscated and drops PowerShell scripts that perform process hollowing to inject .NET modules into legitimate Windows processes, such as MsBuild.exe. The malware communicates with command-and-control servers to download additional plugins. PureLogs harvests a wide range of sensitive information, including credentials from web browsers, cryptocurrency wallets, email clients, Discord, and other applications, along with screenshots, system data, and clipboard contents. Collected data is compressed and encrypted using AES before exfiltration. The campaign leverages fileless execution and multiple encryption layers to evade detection by conventional security solutions.
Potential Impact
The malware compromises confidentiality by stealing extensive sensitive information including user credentials, cryptocurrency wallet data, email and messaging client data, screenshots, system details, and clipboard contents. This data theft can lead to identity theft, financial loss, unauthorized access to accounts, and further compromise of affected systems. The use of advanced evasion techniques reduces the likelihood of detection and mitigation by traditional endpoint security tools, increasing the risk of prolonged undetected presence.
Mitigation Recommendations
No official patch or vendor advisory is provided for this malware variant. Mitigation should focus on user awareness to recognize and avoid phishing emails, especially those containing unexpected purchase orders or JavaScript attachments. Endpoint detection and response solutions should be updated to detect behaviors such as process hollowing, PowerShell script execution from email attachments, and abuse of trusted processes like MsBuild.exe. Network monitoring for known command-and-control IP addresses and URLs (e.g., 77.83.39.211 on port 8443) can help identify and block exfiltration attempts. Since this is a malware campaign rather than a software vulnerability, remediation involves detection and removal rather than patching. Patch status is not yet confirmed — check vendor advisories for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data"]
- Adversary
- null
- Pulse Id
- 6a15ba258c1acc516e08c0fd
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip77.83.39.211 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash3d510977d60a44322f88100b515f06cb5ed83babc64247068d1a489595faa6c5 | — | |
hash07cd03e2082bcb0b890cc59ce4c770d1a095ac6f1ae9cf999f5542555c56f841 | — | |
hash6af99d08e9295db93ad869af5ec1422e | — | |
hashe2470b4bb66131ac43a0e7d30bb30ede | — | |
hash4f2c2a808194d27992ef227c4b9134de01d051fc | — | |
hashcda7136e67b34757ef2688f1e168fc927f025625 | — | |
hash670384fafb23140d96f2f8fe04a13fc8cc8e2a6e5e8c973e39b58d103c5fea92 | — | |
hashb90988400cced319d260c4937f334ecc364785ed5c593cd2139965e62ca58173 | — | |
hashe20b35a8c30e076cdd0e1df05ba1ff2e418dbd39a674f084787cc0af2fda9e95 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://77.83.39.211:8443/application | — | |
urlhttps://77.83.39.211:8443/filesearch/req | — |
Threat ID: 6a16f9b4e29bf47b50c0d619
Added to database: 5/27/2026, 2:03:32 PM
Last enriched: 5/27/2026, 3:21:08 PM
Last updated: 5/27/2026, 4:27:51 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.