PureLogs Variant Evades Detection via MsBuild.exe Process

A significant new variant of the PureLogs information-stealing malware has emerged, employing a sophisticated evasion technique that leverages the legitimate MsBuild.exe process. This development raises serious concerns within the cybersecurity community, particularly given PureLogs

This variant takes a more evasive approach than its predecessors, using a carefully crafted chain of stages to reach victims without triggering standard security tools. What makes it stand out is how it weaponizes trusted Windows components to carry out its attack.

The campaign begins with a phishing email built around a purchase order theme, designed to appear legitimate and trick the recipient into opening an attached file.

Inside the archive is a JavaScript file that, once opened, quietly sets the entire attack in motion. The script is heavily obfuscated, making it difficult for security tools to analyze or flag at first glance.

Researchers at Fortinet’s FortiGuard Labs said in a report shared with Cyber Security News that the campaign uses multiple layered techniques, including obfuscated JavaScript, PowerShell execution, and process hollowing to deploy the final payload.

Their analysis revealed how each stage of the attack flows into the next, leaving very little trace for defenders to follow until the damage is already done.

Once the JavaScript runs, it calls on PowerShell to carry the attack further. A heavily obfuscated PowerShell script is dropped and executed, which then decodes and loads an encrypted .NET module directly in memory.

That module is disguised as a legitimate Windows Task Scheduler component, helping it blend in with normal system activity.

The final payload, PureLogs itself, is a .NET-based infostealer built to harvest credentials, browser data, cryptocurrency wallet files, and more.

It targets a wide range of applications and has been sold on underground forums as a commercial tool, making it accessible to a broad range of threat actors with varying levels of technical skill.

New PureLogs Variant Uses MsBuild.exe Process Hollowing

The most technically notable feature of this variant is its use of process hollowing through MsBuild.exe, a legitimate Microsoft build tool included with the .NET Framework.

The downloader module identifies MsBuild.exe on the infected system and launches it in a suspended state. It then carves out the process memory and injects the PureLogs payload into that empty space before resuming execution.

This technique allows the malware to run inside a trusted, signed Windows process, which makes it far harder for endpoint security products to flag the activity.

Since MsBuild.exe is a recognized system component, many security tools allow it to run freely without deep inspection. The injected code uses Windows API calls such as CreateProcessA, WriteProcessMemory, and ResumeThread to complete the hollowing process cleanly.

The payload itself is protected with commercial obfuscation tools like .NET Reactor and IntelliLock, adding another layer of difficulty for analysts trying to reverse-engineer it.

Once fully loaded inside MsBuild.exe, PureLogs operates silently in the background, collecting data and sending it back to a command-and-control server over encrypted HTTPS requests.

Widespread Data Theft Capabilities

PureLogs is built to steal from a remarkably wide set of targets on an infected machine. It searches over 80 browsers for saved credentials, cookies, and autofill data, covering everything from Google Chrome and Mozilla Firefox to less common options like CocCoc and Kinza.

Browsers are only the beginning of what the malware can access. The malware also targets cryptocurrency wallets, going after software like Exodus, Electrum, Atomic Wallet, and Binance, among many others.

Email clients such as Microsoft Outlook, Thunderbird, and Foxmail are also in its crosshairs, along with FTP tools like FileZilla and VPN clients including ProtonVPN and OpenVPN. All stolen data is encrypted using a key stored in the malware’s configuration block before being sent to the attacker’s server.

Security teams are advised to block JavaScript execution from email attachments and monitor closely for unusual PowerShell behavior on endpoints.

Organizations should also restrict the ability of uncommon processes to spawn child processes or make network connections. Training employees to recognize invoice-themed and purchase-order-themed phishing lures remains one of the most effective front-line defenses against campaigns like this one.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.