PureLogs Variant Steals Data via Purchase Order Lures

FortiGuard Labs observed a phishing campaign using purchase-order-themed emails with a RAR-attached malicious JavaScript that decrypts and executes PowerShell to deploy a fileless PureLogs infostealer. The multi-stage chain extracts .NET modules, employs process hollowing into MsBuild.exe, downloads a DES-encrypted plugin, and exfiltrates system details, screenshots, browser credentials, Discord tokens, and cryptocurrency wallet files to a C2 server; the report includes IoCs and mitigation recommendations.