Research from FortiGuard Labs has unveiled a sophisticated phishing campaign that cleverly masquerades as purchase orders, enticing recipients to open malicious attachments. This intricate operation initiates with a phishing email that delivers a harmful JavaScript file. Upon execution, the JavaScript decrypts and runs a PowerShell script, which employs process hollowing to inject a .NET downloader module into a trusted Windows process, specifically MsBuild.exe. This downloader then establishes communication with a remote command and control (C2) server to retrieve and execute additional plugin modules, granting the attacker the flexibility to modify the malware’s behavior post-compromise.
Challenges in Detection
Windows users find themselves at the forefront of this phishing threat. The campaign’s evasive nature poses significant challenges for traditional signature-based security measures, primarily due to its reliance on:
- Multiple layers of encryption
- Fileless execution techniques
- Process hollowing strategies
Security Leaders Weigh In
Kern Smith, Senior Vice President of Global Solutions Engineering at Zimperium:
“While this campaign ultimately executes on Windows, the broader lesson extends well beyond the endpoint. Attackers increasingly rely on social engineering and multi-stage attack chains that begin wherever users are most active, and increasingly, that starts on mobile devices through email, messaging platforms, and collaboration tools. What makes these attacks effective is not just the malware itself, but the ability to move users from initial engagement to compromise while avoiding detection across devices and environments. Organizations should think beyond traditional endpoint visibility and ensure they can identify suspicious activity early, correlate signals across mobile devices, applications, and endpoints, and rapidly determine whether an alert represents a real incident. As attack paths become more distributed and AI accelerates attacker execution, security teams need AI-empowered security capabilities that reduce investigation time and provide clearer paths from signal to response.”
Jason Soroko, Senior Fellow at Sectigo:
“The recent discovery of a JavaScript-driven phishing campaign deploying a PureLogs variant underscores the shift toward fileless, evasive execution chains. Attackers hide the payload in an archive disguised as a purchase order, exploiting routine business workflows. The obfuscated JavaScript serves as an entry point that bypasses perimeter defenses, then decrypts and launches a PowerShell script. Threat actors continue refining methods that blend malicious activity with legitimate administrative tools. The campaign relies on process hollowing to inject a .NET downloader into the trusted Windows MsBuild executable, complicating detection. Once embedded, the downloader contacts a remote command server to retrieve modular plugins, giving the attacker dynamic post-compromise control. Layered encryption combined with legitimate system processes shows a sophisticated approach to data theft that demands equally adaptive, behavior-focused defenses.”
Maxime Cartier, Vice President of Human Risk at Hoxhunt:
“Historically, risky behavior and the human element have been linked to up to 90% of breaches, mainly via social engineering and phishing. However, when you look meticulously at recent research, many of the risks and barriers are behavioral, not technical. Developers, admins, IT operations teams — they respond to the same drivers we think about in Human Risk Management every day: motivation, prioritization, clarity, communication, and friction. If security teams want outcomes to improve, they need to communicate risk in ways that help people act, not just escalate pressure. This creates a significant opportunity for security awareness and Human Risk Management teams to collaborate more closely with vulnerability management teams. We spend a lot of time thinking about how to influence secure behavior at scale. Those same principles apply directly to improving remediation outcomes across the organization.”
