Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A phishing campaign is using a malicious JavaScript attachment to decrypt and execute a PowerShell script. That script then performs process hollowing to inject a .NET downloader into the trusted MsBuild.exe process. The downloader reaches out to a command-and-control server to retrieve a PureLogs plugin that steals credentials, browser data, cryptocurrency wallet information, and other sensitive assets. The attack chain is highly evasive and relies on layered encryption together with fileless execution techniques to reduce detection.
Investigation
FortiGuard Labs examined the email attachment, the obfuscated JavaScript, the dropped PowerShell script, and the in-memory .NET components used later in the attack. During analysis, researchers observed creation of a hollowed MsBuild.exe process, loading of a downloader DLL, and execution of a PureLogs plugin that harvested data from browsers, Discord, crypto wallets, and other applications. Captured network traffic showed encrypted GET and POST communications with a single command-and-control server.
Mitigation
The report recommends enforcing strong email filtering, limiting script execution wherever feasible, and monitoring for suspicious PowerShell activity and process hollowing involving MsBuild.exe. It also advises using endpoint detection and response tools that can identify in-memory .NET assemblies and unusual outbound network behavior associated with staged malware delivery.
Response
If this activity is detected, isolate the affected endpoint, terminate the malicious MsBuild.exe process, and block the command-and-control IP address. Investigators should then perform forensic analysis to determine whether any credentials or sensitive data were stolen and reset exposed accounts as needed. Detection content should also be updated to cover PowerShell abuse, process hollowing, and PureLogs-related behavior.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeDetections
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Powershell Executing File In Suspicious Directory Using Bypass Execution Policy (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
IOCs (HashSha256) to detect: FortiGuard Labs Threat Research Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
View
IOCs (SourceIP) to detect: FortiGuard Labs Threat Research Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
View
IOCs (DestinationIP) to detect: FortiGuard Labs Threat Research Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
View
Execution of Fileless PowerShell Script and Process Hollowing via .NET Assemblies [Windows Powershell]
View
Detection of JavaScript-Driven PureLogs Variant Deployment via PowerShell and Process Hollowing [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Stage 1 – JavaScript Drop: The attacker delivers a malicious
.jspayload (encoded) via a phishing email. The payload is saved to%TEMP%and executed withwscript.exe. - Stage 2 – PowerShell Launcher: The JavaScript launches PowerShell with the flags
-ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File, pointing to a secondary script that performs process hollowing. - Stage 3 – Process Hollowing via MsBuild: The PowerShell script spawns
MsBuild.exein suspended mode, injects the malicious payload (a dummy DLL), and resumes the process, achieving execution while appearing as a legitimate build tool.
- Stage 1 – JavaScript Drop: The attacker delivers a malicious
-
Regression Test Script: (PowerShell – run as a normal user, requires no external files)
# -------------------------------------------------------------- # PureLogs Variant Simulation – JavaScript → PowerShell → MsBuild # -------------------------------------------------------------- # 1. Create malicious JavaScript (base64‑encoded to mimic obfuscation) $jsPayload = @" // Malicious JS: launches PowerShell with bypass flags var shell = new ActiveXObject("WScript.Shell"); var psCmd = "powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File ""%TEMP%launch.ps1"""; shell.Run(psCmd, 0, false); "@ $jsPath = "$env:TEMPmalicious.js" $jsPayload | Set-Content -Path $jsPath -Encoding ASCII # 2. Create PowerShell payload that performs process hollowing with MsBuild $psPayload = @" # Launch MsBuild in suspended mode $msbuildPath = (Get-Command MsBuild.exe).Source $si = New-Object System.Diagnostics.ProcessStartInfo $si.FileName = $msbuildPath $si.UseShellExecute = $false $si.CreateNoWindow = $true $si.Arguments = "/t:Compile" $proc = [System.Diagnostics.Process]::Start($si) Start-Sleep -Milliseconds 500 # give time for creation # Simulate hollowing by just writing a dummy file into the process's memory space # (real hollowing would use Windows API calls; here we just keep the process alive) Write-Host "Process hollowing simulated – MsBuild running" "@ $psPath = "$env:TEMPlaunch.ps1" $psPayload | Set-Content -Path $psPath -Encoding ASCII # 3. Execute the JavaScript – this is the entry point the rule watches wscript.exe $jsPath # Wait a short period to ensure logs are generated Start-Sleep -Seconds 10 -
Cleanup Commands:
# Terminate any lingering MsBuild processes started by the simulation Get-Process MsBuild -ErrorAction SilentlyContinue | Stop-Process -Force # Remove artefacts Remove-Item "$env:TEMPmalicious.js" -ErrorAction SilentlyContinue Remove-Item "$env:TEMPlaunch.ps1" -ErrorAction SilentlyContinue