Date: 05/27/2026
Severity: High
Summary
We recently uncovered a phishing campaign delivering a variant of PureLogs, an infostealer designed to harvest sensitive data from compromised devices. This report breaks down the campaign's mechanics, analyzing the deceptive "purchase order" emails used to trick victims and the inner workings of the initial JavaScript payload. The following sections outline the complete execution chain: from the phishing email and obfuscated JavaScript to the subsequent PowerShell execution, process hollowing, and final deployment of a downloader module.
Indicators of Compromise (IOC) List
Domains\URLs : | https://77.83.39.211:8443/ping https://77.83.39.211:8443/plugin https://77.83.39.211:8443/userinfo https://77.83.39.211:8443/browser https://77.83.39.211:8443/discord https://77.83.39.211:8443/crypto https://77.83.39.211:8443/application https://77.83.39.211:8443/filesearch/req https://77.83.39.211:8443/finish https://77.83.39.211:8443 |
Hash : | 3D510977D60A44322F88100B515F06CB5ED83BABC64247068D1A489595FAA6C5
670384FAFB23140D96F2F8FE04A13FC8CC8E2A6E5E8C973E39B58D103C5FEA92
B90988400CCED319D260C4937F334ECC364785ED5C593CD2139965E62CA58173
E20B35A8C30E076CDD0E1DF05BA1FF2E418DBD39A674F084787CC0AF2FDA9E95
07CD03E2082BCB0B890CC59CE4C770D1A095AC6F1AE9CF999F5542555C56F841
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://77.83.39.211:8443/ping" or url like "https://77.83.39.211:8443/ping" or siteurl like "https://77.83.39.211:8443/ping" or domainname like "https://77.83.39.211:8443/finish" or url like "https://77.83.39.211:8443/finish" or siteurl like "https://77.83.39.211:8443/finish" or domainname like "https://77.83.39.211:8443/crypto" or url like "https://77.83.39.211:8443/crypto" or siteurl like "https://77.83.39.211:8443/crypto" or domainname like "https://77.83.39.211:8443/application" or url like "https://77.83.39.211:8443/application" or siteurl like "https://77.83.39.211:8443/application" or domainname like "https://77.83.39.211:8443/filesearch/req" or url like "https://77.83.39.211:8443/filesearch/req" or siteurl like "https://77.83.39.211:8443/filesearch/req" or domainname like "https://77.83.39.211:8443/discord" or url like "https://77.83.39.211:8443/discord" or siteurl like "https://77.83.39.211:8443/discord" or domainname like "https://77.83.39.211:8443/userinfo" or url like "https://77.83.39.211:8443/userinfo" or siteurl like "https://77.83.39.211:8443/userinfo" or domainname like "https://77.83.39.211:8443/plugin" or url like "https://77.83.39.211:8443/plugin" or siteurl like "https://77.83.39.211:8443/plugin" or domainname like "https://77.83.39.211:8443/browser" or url like "https://77.83.39.211:8443/browser" or siteurl like "https://77.83.39.211:8443/browser" or domainname like "https://77.83.39.211:8443" or url like "https://77.83.39.211:8443" or siteurl like "https://77.83.39.211:8443" |
Detection Query 2 : | sha256hash IN ("3D510977D60A44322F88100B515F06CB5ED83BABC64247068D1A489595FAA6C5","E20B35A8C30E076CDD0E1DF05BA1FF2E418DBD39A674F084787CC0AF2FDA9E95","670384FAFB23140D96F2F8FE04A13FC8CC8E2A6E5E8C973E39B58D103C5FEA92","B90988400CCED319D260C4937F334ECC364785ED5C593CD2139965E62CA58173","07CD03E2082BCB0B890CC59CE4C770D1A095AC6F1AE9CF999F5542555C56F841")
|
Reference:
https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data