Fake Purchase Order Emails Spread Fileless PureLogs Malware via RAR Archives

FortiGuard Labs and reporting summarize a phishing campaign that delivers a fileless data-stealer named PureLogs: victims receive fake purchase order archives that drop JS and PowerShell payloads which perform process hollowing on MsBuild.exe to load a downloader; the downloader contacts C2 77.83.39.211:8443 to retrieve an in-memory plugin that exfiltrates browser credentials, cookies, Discord tokens, and multiple cryptocurrency wallet files via HTTP endpoints, while using DES/GZip/AES layers and in-memory execution to evade detection.