Fortinet’s FortiGuard Labs recently discovered a phishing campaign with the goal of stealing sensitive data from target devices using a PureLogs variant. The lure hidden behind business document theming exploits the urgency and routine that make many users act quickly without thinking. Recipients are predisposed to open these documents without suspicion or verification. The RAR attachment, disguised as a purchase order, conceals a JavaScript file, enabling the attack to bypass common file-type filters that target executables. The campaign build name “KPANKO” is embedded in collected victim data, suggesting an organized, tracked operation.
Unpacking a Deliberately Evasive Execution Chain
This attack takes place over several stages containing multiple layers of obfuscation to increase the chances of successfully going undetected. “Layered encryption combined with legitimate system processes shows a sophisticated approach to data theft that demands equally adaptive, behavior-focused defenses,” says Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM).
The obfuscated JavaScript within the RAR file is decrypted and drops a PowerShell script to disk, then executes it silently via wscript.exe. PowerShell uses XOR-with-rotation decryption to create a fileless in-memory script, bypassing on-disk scanning efforts. The next stage involves process hollowing into MsBuild.exe—a signed, trusted Windows binary—which gives the injected .NET module cover as a legitimate process.
The Downloader as a Strategic Asset
The design of the downloader itself is another factor in the effectiveness of this attack. The downloader module (Rmiyj.dll) communicates with Control and Command (C2) through encrypted HTTPS, validating server availability before requesting plugins. POST requests encrypted via Advanced Encryption Standard (AES) use randomized IVs to fetch plugin modules dynamically, enabling post-compromise behavior to be modified without the need for redeployment. Plugin-based architecture means that the attacker can pivot capabilities, or even swap out the payload entirely, without touching the initial infection chain.
The Breadth of What Gets Stolen
The scale of the stealer’s capabilities underlines the severity of this campaign. The attack harvests browser credentials spanning more than 80 Chromium and Firefox-based browsers, including login data, cookies, session tokens, autofill, and payment information. Cryptocurrency wallet targeting covers over 40 platforms, extracting private keys, wallet databases, authentication tokens, and transaction histories. The collection profile, designed to enable persistent account access long after initial compromise, is rounded out with Discord tokens, Outlook credentials, VPN configurations, and FTP client data.
The breadth of this data makes the risks of such an attack potentially catastrophic. With the right login credentials and session tokens, bad actors can compromise the personal and financial information and other highly sensitive data of not just individuals, but major organizations. They can harvest massive volumes of high-value information, either to sell it or to use it in their own further malicious actions.
What This Campaign Reveals About Signature-Based Limits
The identification of this campaign demonstrates the shortfalls of many traditional security tools that organizations continue to rely on. Fileless execution, in-memory-only plugin residence, and process hollowing work in concert to defeat measures like file hash scanning and static analysis. Encrypted C2 communications over HTTPS on port 8443 blend in with legitimate web traffic, making network-layer detection difficult without the use of TLS inspection. Each stage of the attack uses a separate encryption scheme—XOR, DES, and AES—to prevent any single decryption key or pattern from exposing the full chain.
What Security Leaders Should Be Rethinking
Defenders should look to this campaign to inform future efforts in protection and prevention. Email gateway controls continue to be the highest-leverage intervention—this campaign was flagged by FortiMail before delivery, validating email filtering as a critical control. Behavioral detection and EDR telemetry focused on anomalous PowerShell invocations, process hollowing indicators, and MsBuild.exe network activity are the next line of defense. The modular, plugin-driven design of the attack signals a maturing infostealer ecosystem in which the delivery mechanism and the payload are increasingly decoupled, requiring security programs to treat each stage as an independent detection surface.
