PureLogs infostealer purchase-order phishing delivery chain
Malware Activity
Summary
Hide ▲
Show ▼
The PureLogs infostealer is being delivered through purchase-order-themed phishing emails, creating a Windows infection chain that steals browser credentials, Discord authentication data, and cryptocurrency wallet files and keys. The payload uses a malicious JavaScript file, then pivots through PowerShell and process hollowing to hide inside MsBuild.exe. The activity increases the risk of account takeover and wallet theft across targeted endpoints.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Timeline
-
27.05.2026 11:00 2 articles · 14h ago
Purchase-order phishing delivers PureLogs infostealer on Windows
Initial DisclosureFortiGuard Labs analyzed a PureLogs infostealer campaign that uses purchase-order-themed phishing emails with a fake purchase order message and an attached RAR archive to start a multi-stage infection chain on Windows systems. The malicious JavaScript decrypts PowerShell code, writes a randomly named .ps1 file in C:\Temp, runs it through PowerShell.exe with execution policy bypassed and the window hidden, then uses in-memory .NET modules and process hollowing inside MsBuild.exe before downloading a fileless PureLogs plugin that steals browser credentials, cookies, session tokens, Discord authentication data, cryptocurrency wallet files and keys, and credentials from applications including Outlook, FileZilla, OpenVPN and ProtonVPN.
Show sources
- PureLogs Variant Steals Data via Purchase Order Lures — www.infosecurity-magazine.com — 27.05.2026 11:00
- PureLogs Variant Steals Data via Purchase Order Lures — www.infosecurity-magazine.com — 27.05.2026 11:00