Fileless PureLogs Malware Delivered via Fake Purchase Order Emails Targets Windows Users
What Happened — Threat actors are sending counterfeit purchase‑order emails that contain malicious RAR archives. When opened, the archive triggers a process‑hollowing technique that injects the file‑less PureLogs payload, which harvests browser credentials, cryptocurrency wallet files, and Discord tokens from Windows machines.
Why It Matters for TPRM —
- The campaign exploits a trusted business workflow (procurement) to bypass typical email defenses.
- Data exfiltration includes financial assets and personal communications, raising direct monetary and reputational risk for third‑party vendors.
- File‑less techniques evade many endpoint detection solutions, increasing the likelihood of undetected compromise across supply‑chain partners.
Who Is Affected — Enterprises across all sectors that process purchase orders via email, especially those with Windows‑based workstations and unmanaged endpoints.
Recommended Actions —
- Enforce strict verification of purchase‑order communications (e.g., digital signatures, out‑of‑band confirmation).
- Block execution of RAR files from email attachments or enforce sandbox scanning.
- Deploy behavior‑based endpoint detection that can identify process‑hollowing and file‑less activity.
- Review third‑party vendor email security controls and require evidence of anti‑phishing training.
Technical Notes — Attack vector: phishing email with malicious RAR archive → process hollowing → file‑less PureLogs malware. No known CVE; the payload extracts browser cookies, crypto wallet files (e.g., .wallet, .dat), and Discord authentication tokens. Source: HackRead