PureLogs infostealer purchase-order phishing delivery chain
Malware Activity
Summary
Hide ▲
Show ▼
The PureLogs infostealer is being delivered through purchase-order-themed phishing emails, creating a Windows infection chain that steals browser credentials, Discord authentication data, and cryptocurrency wallet files and keys. The payload uses a malicious JavaScript file, then pivots through PowerShell and process hollowing to hide inside MsBuild.exe. The activity increases the risk of account takeover and wallet theft across targeted endpoints.
Related Happenings
Edgecution malicious Microsoft Edge extension backdoor activity
Malware Activity
H score23
First: 24.06.2026 23:58
Last: 24.06.2026 23:58
Sources 1
About this happening:
The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware ActivityAbout this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
Malicious npm packages delivering Windows RAT
Malware Activity
H score3
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Malicious npm packages delivering Windows RAT
Malware ActivityAbout this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
H score82
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Timeline
-
27.05.2026 11:00 2 articles · 1mo ago
Purchase-order phishing delivers PureLogs infostealer on Windows
Initial DisclosureFortiGuard Labs analyzed a PureLogs infostealer campaign that uses purchase-order-themed phishing emails with a fake purchase order message and an attached RAR archive to start a multi-stage infection chain on Windows systems. The malicious JavaScript decrypts PowerShell code, writes a randomly named .ps1 file in C:\Temp, runs it through PowerShell.exe with execution policy bypassed and the window hidden, then uses in-memory .NET modules and process hollowing inside MsBuild.exe before downloading a fileless PureLogs plugin that steals browser credentials, cookies, session tokens, Discord authentication data, cryptocurrency wallet files and keys, and credentials from applications including Outlook, FileZilla, OpenVPN and ProtonVPN.
Show sources
- PureLogs Variant Steals Data via Purchase Order Lures — www.infosecurity-magazine.com — 27.05.2026 11:00
- PureLogs Variant Steals Data via Purchase Order Lures — www.infosecurity-magazine.com — 27.05.2026 11:00