New PureLogs Variant Uses MsBuild.exe Process Hollowing to Evade Detection
Cybersecurity NewsArchived May 28, 2026✓ Full text saved
A new and dangerous version of the PureLogs information-stealing malware has emerged, raising serious concerns across the cybersecurity community. This variant takes a more evasive approach than its predecessors, using a carefully crafted chain of stages to reach victims without triggering standard security tools. What makes it stand out is how it weaponizes trusted Windows […] The post New PureLogs Variant Uses MsBuild.exe Process Hollowing to Evade Detection appeared first on Cyber Security Ne
Full text archived locally
✦ AI Summary· Claude Sonnet
Home Cyber Security News New PureLogs Variant Uses MsBuild.exe Process Hollowing to Evade Detection By Tushar Subhra Dutta May 28, 2026 A new and dangerous version of the PureLogs information-stealing malware has emerged, raising serious concerns across the cybersecurity community. This variant takes a more evasive approach than its predecessors, using a carefully crafted chain of stages to reach victims without triggering standard security tools. What makes it stand out is how it weaponizes trusted Windows components to carry out its attack. The campaign begins with a phishing email built around a purchase order theme, designed to appear legitimate and trick the recipient into opening an attached file. Inside the archive is a JavaScript file that, once opened, quietly sets the entire attack in motion. The script is heavily obfuscated, making it difficult for security tools to analyze or flag at first glance. Researchers at Fortinet’s FortiGuard Labs said in a report shared with Cyber Security News that the campaign uses multiple layered techniques, including obfuscated JavaScript, PowerShell execution, and process hollowing to deploy the final payload. Their analysis revealed how each stage of the attack flows into the next, leaving very little trace for defenders to follow until the damage is already done. Once the JavaScript runs, it calls on PowerShell to carry the attack further. A heavily obfuscated PowerShell script is dropped and executed, which then decodes and loads an encrypted .NET module directly in memory. That module is disguised as a legitimate Windows Task Scheduler component, helping it blend in with normal system activity. The final payload, PureLogs itself, is a .NET-based infostealer built to harvest credentials, browser data, cryptocurrency wallet files, and more. It targets a wide range of applications and has been sold on underground forums as a commercial tool, making it accessible to a broad range of threat actors with varying levels of technical skill. New PureLogs Variant Uses MsBuild.exe Process Hollowing The most technically notable feature of this variant is its use of process hollowing through MsBuild.exe, a legitimate Microsoft build tool included with the .NET Framework . The downloader module identifies MsBuild.exe on the infected system and launches it in a suspended state. It then carves out the process memory and injects the PureLogs payload into that empty space before resuming execution. This technique allows the malware to run inside a trusted, signed Windows process, which makes it far harder for endpoint security products to flag the activity. Since MsBuild.exe is a recognized system component, many security tools allow it to run freely without deep inspection. The injected code uses Windows API calls such as CreateProcessA , WriteProcessMemory , and ResumeThread to complete the hollowing process cleanly. The payload itself is protected with commercial obfuscation tools like .NET Reactor and IntelliLock, adding another layer of difficulty for analysts trying to reverse-engineer it. Once fully loaded inside MsBuild.exe, PureLogs operates silently in the background, collecting data and sending it back to a command-and-control server over encrypted HTTPS requests. Widespread Data Theft Capabilities PureLogs is built to steal from a remarkably wide set of targets on an infected machine. It searches over 80 browsers for saved credentials, cookies, and autofill data, covering everything from Google Chrome and Mozilla Firefox to less common options like CocCoc and Kinza. Browsers are only the beginning of what the malware can access. The malware also targets cryptocurrency wallets, going after software like Exodus, Electrum, Atomic Wallet, and Binance, among many others. Email clients such as Microsoft Outlook, Thunderbird, and Foxmail are also in its crosshairs, along with FTP tools like FileZilla and VPN clients including ProtonVPN and OpenVPN. All stolen data is encrypted using a key stored in the malware’s configuration block before being sent to the attacker’s server. Security teams are advised to block JavaScript execution from email attachments and monitor closely for unusual PowerShell behavior on endpoints. Organizations should also restrict the ability of uncommon processes to spawn child processes or make network connections. Training employees to recognize invoice-themed and purchase-order-themed phishing lures remains one of the most effective front-line defenses against campaigns like this one. Indicators of Compromise (IoCs):- Note: IP addresses and domains are intentionally defanged (e.g., [.] ) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM . Follow us on Google News , LinkedIn , and X to Get More Instant Updates , Set CSN as a Preferred Source in Google . Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News How Top CISOs Increase Risk Visibility for Zero Critical Incidents Hackers Abuse Shared CDN Edge IPs to Bypass Protective DNS Filtering Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens Hackers Abuse Trusted Google Domains to Hide Phishing Links From Email Gateways Splunk Patches Multiple Vulnerabilities that Enable DOS Attacks and Expose Sensitive Data Load more Latest News Cyber Security News Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL Queries Cyber Security News Hackers Abuse Shared CDN Edge IPs to Bypass Protective DNS Filtering Cyber Security News Threat Actors Spoofing FIFA Websites to Steal Name, Home Address, and Phone Number Cyber Security News Top 10 Best Mobile Application Security Testing (MAST) Tools in 2026 Cyber Security News Top 10 Best Static Application Security Testing (SAST) Tools for Security Teams in 2026