Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
Essential information
- Published
- 26/05/2026 17:20
- Modified
- 27/05/2026 13:59
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cryptocurrency wallets phishing process hollowing purelogs
- Tags
- 2026-05-26 cryptocurrency wallets phishing process-hollowing purelogs
- Related entities
- 8 indicators, 8 observables, 23 techniques (mitre), 1 malware
Description
A sophisticated phishing campaign distributes a PureLogs variant through deceptive purchase order emails containing malicious JavaScript files. The attack chain employs obfuscated JavaScript that drops PowerShell scripts, which then use process hollowing techniques to inject .NET modules into legitimate Windows processes. The malware communicates with command-and-control infrastructure to download additional plugins. PureLogs collects extensive sensitive information including credentials from web browsers, cryptocurrency wallets, email clients, Discord, and various applications. It also captures screenshots, system information, and clipboard data. The collected data is compressed, encrypted with AES, and exfiltrated to remote servers. The campaign demonstrates advanced evasion techniques through fileless execution, multiple encryption layers, and abuse of trusted processes like MsBuild.exe, making detection challenging for traditional security solutions.