HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Fileless PureLogs Malware Delivered via Fake Purchase Order Emails Targets Windows Users

Threat actors are leveraging counterfeit purchase‑order emails with malicious RAR attachments to install file‑less PureLogs malware on Windows workstations, stealing browser credentials, cryptocurrency wallets, and Discord tokens. The campaign’s use of process hollowing evades many endpoint defenses, posing a significant third‑party risk.

LiveThreat™ Intelligence · 📅 June 01, 2026· 📰 hackread.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
hackread.com

Fileless PureLogs Malware Delivered via Fake Purchase Order Emails Targets Windows Users

What Happened — Threat actors are sending counterfeit purchase‑order emails that contain malicious RAR archives. When opened, the archive triggers a process‑hollowing technique that injects the file‑less PureLogs payload, which harvests browser credentials, cryptocurrency wallet files, and Discord tokens from Windows machines.

Why It Matters for TPRM

  • The campaign exploits a trusted business workflow (procurement) to bypass typical email defenses.
  • Data exfiltration includes financial assets and personal communications, raising direct monetary and reputational risk for third‑party vendors.
  • File‑less techniques evade many endpoint detection solutions, increasing the likelihood of undetected compromise across supply‑chain partners.

Who Is Affected — Enterprises across all sectors that process purchase orders via email, especially those with Windows‑based workstations and unmanaged endpoints.

Recommended Actions

  • Enforce strict verification of purchase‑order communications (e.g., digital signatures, out‑of‑band confirmation).
  • Block execution of RAR files from email attachments or enforce sandbox scanning.
  • Deploy behavior‑based endpoint detection that can identify process‑hollowing and file‑less activity.
  • Review third‑party vendor email security controls and require evidence of anti‑phishing training.

Technical Notes — Attack vector: phishing email with malicious RAR archive → process hollowing → file‑less PureLogs malware. No known CVE; the payload extracts browser cookies, crypto wallet files (e.g., .wallet, .dat), and Discord authentication tokens. Source: HackRead

📰 Original Source
https://hackread.com/purchase-emails-fileless-purelogs-malware-rar-archives/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →