惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
B
Blog RSS Feed
宝玉的分享
宝玉的分享
腾讯CDC
博客园_首页
T
Tailwind CSS Blog
月光博客
月光博客
博客园 - 司徒正美
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
M
MIT News - Artificial intelligence
A
About on SuperTechFans
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
有赞技术团队
有赞技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
MongoDB | Blog
MongoDB | Blog
博客园 - 聂微东
V
Visual Studio Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
SecWiki News
SecWiki News
美团技术团队
P
Privacy International News Feed
H
Help Net Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Microsoft Security Blog
Microsoft Security Blog
Know Your Adversary
Know Your Adversary
Y
Y Combinator Blog
D
DataBreaches.Net
Project Zero
Project Zero
T
The Blog of Author Tim Ferriss
Cyberwarzone
Cyberwarzone
C
Cybersecurity and Infrastructure Security Agency CISA
C
Cisco Blogs
S
Schneier on Security
G
GRAHAM CLULEY
博客园 - 三生石上(FineUI控件)
Cisco Talos Blog
Cisco Talos Blog
小众软件
小众软件
Forbes - Security
Forbes - Security
D
Docker
T
Tenable Blog
S
Secure Thoughts
雷峰网
雷峰网
S
Security @ Cisco Blogs
T
The Exploit Database - CXSecurity.com
The Cloudflare Blog
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
阮一峰的网络日志
阮一峰的网络日志

Hackread – Cybersecurity News, Data Breaches, AI and More

Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks New GhostShell Hacking Group Targets Ukraine’s Drone Defense Sector Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords Best Crypto Payment Solutions for E-Commerce Businesses Internet Society Foundation Opens Global Call for Common Good Cyber Fund to Strengthen Cybersecurity LastPass Confirms Customer Data Breach After Klue OAuth Token Theft ‘Cordyceps’ CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking The Rise of AI-Powered Academic Fraud: Beyond Traditional Plagiarism New CryptoBandits Malware Uses USB Drives and Tor to Steal Crypto The Evolution of iGaming Fraud: What Security Teams Should Expect in 2027 2 Scattered Spider-Linked Hackers Plead Guilty Over £39M TfL Cyberattack Beats Studio Buds Flaw Could Let Nearby Attackers Eavesdrop on Users Texas Parks and Wildlife Data Breach Affects Over 3M License Customers Threat Hunting Beyond Alerts: Finding the Activity Detection Misses Scammers Use Fake GitHub Stars, VirusTotal Reviews to Spread Crypto Clipper Salesforce Disables Klue Integration After OAuth Token Theft Hits Customer Data MDR Provider Comparison: Time to Discover and Respond to Threats Meteor 3.0 Migration Helped Rocket.Chat Move Off End-of-Life Node.js Runtime Gcore Helps Ucom Safeguard Public Live Broadcast Infrastructure During Armenia’s Parliamentary Elections Nintendo America Employee Data Exposed After Shadowbyt3$ Targets TinyPulse eFAQ Publishes Investigation Into Alleged Scam Activity and Coordinated Reputation Attacks FIFA World Cup 2026: Hackers Target Football Fans With Fake Tickets Sites MacBook Neo vs Windows Laptops for Cybersecurity Tasks Operation Endgame Disrupts SocGholish Malware Infrastructure What Businesses Should Know Before Migrating Their CMS DragonForce Ransomware Abused Microsoft Teams to Hide Malware Activity Agentjacking: Researchers Show How One Fake Bug Report Can Hijack AI Coding Agents FortiBleed Attack Exposes Fortinet Firewall Credentials in 194 Countries SpyCloud Report Finds Phishing Attacks Surge as Employee Data Is Exposed at 86% of Fortune 100 Companies 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Fake Search Clicks Heimdal Survey: Executives Four Times More Confident About AI Risk Than the Teams Managing It ESET MDR vs Sophos MDR: Compared Time to discover and respond to a threat 15 Malicious JetBrains Plugins Caught Stealing DeepSeek, OpenAI API Keys Amos Stealer Targets macOS Keychain Files and Browser Passwords Aembit Extends IAM for Agentic AI to Microsoft Copilot Studio AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era New Rokarolla Android Trojan Found Targeting 217 Crypto and Banking Apps Developer laptops are the credential store attackers are picking through in 2026, GitGuardian announces Endpoint Protection Best of Android Fax Apps: Top 5 Secure Picks for 2026 Feds Seize CFAKE and SOCFAKE Over Explicit Deepfakes of Famous Women Handala Hacking Group Claims Breach of California Water Service Over 50 Android Apps Found Spreading MagicAd Trojan via Official Stores Hackers Hide New Argamal Malware Inside Working Hentai Games Extradited Ukrainian Man Admits Role in Conti Ransomware Attacks Atomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware ShinyHunters Target Universities in Oracle PeopleSoft Zero-Day Attack The SpaceX Pre-IPO Market: How Crypto Rails Are Opening Synthetic Access Feds Seize AudiA6 and Dark2Web in $389M Crypto Laundering Case ShinyHunters Leak 40GB of University of Nottingham Student Data Authorities Dismantle Decade-Old SniperDZ Phishing Network Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management Hackers Use Fake Claude Code Guide and AI PDFs to Spread AsyncRAT Malware The Hidden Security Risks of Poor Software Testing FBI Seizes China-Linked Fake Consulting Sites Targeting US Clearance Holders How to Turn Images into Animated Videos with AI: A Wondershare Filmora Guide Scammers Use TikTok and Instagram Reels to Spread Vidar Infostealer ServiceNow Discloses Security Incident Exposing Customer Data Cloud Security Report Finds Fragmented Tools Widening the Cloud Complexity Gap Microsoft June 2026 Patch Tuesday Fixes 206 Flaws and 3 Zero-Days Network Log Analysis: Why Collecting Logs is Not Enough E-Signature Security Checklist Before Selecting an E-Signature Tool Maine Govt Portal Lists 10M Discord Data Breach Notice, But Filing Shows Red Flags Handala Claims Israeli Radar Hack, But Evidence Shows Phone Admin Panel WhatsApp Says It Blocked Pegasus Spyware Campaign Linked to NSO Operation FlutterBridge Uses Fake Google Ads to Spread macOS Backdoor Hackers Clone Ghidra, dnSpy and Other Tool Sites to Spread Malware Silent Ransom Group Uses Fast Flux Botnet to Hide Law Firm Leak Sites New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams Miasma Malware Hits 32 Red Hat Packages via Compromised GitHub Account Atlas Menu Data Breach Exposes 64,000 GTA V and CS2 Cheat Service Users Reaper macOS Infostealer Abuses Script Editor to Steal Crypto and Passwords iFood Confirms Data Breach Affecting 1.2 Million Users in Brazil Why eSIMs Are Replacing Traditional SIM Cards Lazarus Group Uses npm Brandjacking Campaign to Target Developers Five Eyes Warns Chinese Spies Are Using Fake Job Ads to Target Military Staff How to Recover Data from iCloud Backup Without Resetting Your iPhone China-Linked TA4922 Hackers Target UK, Europe With New SilentRunLoader Malware Alcasec, "Robin Hood of Spanish Hackers," Jailed for 31 Months Over Data Theft Fake ChatGPT Desktop App Ads Used to Push Password-Stealing Malware Hackers Abused Meta’s AI Support Bot to Hijack Major Instagram Accounts New WordPress Malware Uses Steam Profile Comments to Hide C2 Instructions Halo Security Honored with 2026 MSP Today Product of the Year Award Why Encrypted File Sharing Is Essential for Modern Businesses What One Predator Case Can Reveal About an Online Platform’s Safety Gaps RaccoonLine Publishes 2026 dVPN Buyer’s Guide for Privacy-Focused Users How to Get a Reddit API Key in 2026: Step-by-Step Guide Zero-Click pretalx XSS Flaw Lets Hackers Hijack Conference Organizer Accounts How to Get the Most From Your Explainer Video Production Services 27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens Fake Anthropic Sites Deliver Fileless Infostealer to Claude Code Users The Deliverability Problem: How New Platforms Are Solving Inbox Placement The CISO Whisperer's Watch List For The Gartner Security & Risk Management Summit 2026 Can Big Data Predict Market Movements Accurately? Iran’s Nimbus Manticore Used Trojanized Zoom Installers Against US Firms How Can MSSPs Scale Threat Detection Without Burning Out Their Analysts? Link11 is fully committed to Europe and is opening a Customer Excellence Hub in Lisbon Trojanized Gemini and Claude Installers Target Developers Via SEO Poisoning Claude Mythos AI Identified 10,000+ Software Vulnerabilities in One Month FBI Chief Kash Patel’s Clothing Store Hacked in ClickFix Infostealer Attack Netherlands Busts Bulletproof Hosting Network Linked to Disinfo and Cybercrime
Fake Purchase Order Emails Spread Fileless PureLogs Malware via RAR Archives
Deeba Ahmed · 2026-06-01 · via Hackread – Cybersecurity News, Data Breaches, AI and More

FortiGuard Labs has disclosed its findings about a new email campaign targeting Windows users with a malicious data-stealing program called PureLogs. According to their research, the attack begins with fake purchase order emails that trick targets into opening a malicious archive named “PO 2026-P0803.rar” as an initial trap.

After this, a hidden script called “kpankocrs.js” runs automatically and drops a randomly named file like "ps_qnSEGUkU0LIY_1777592585573.ps1” into the "C:\Temp" folder. It uses the Windows script engine (wscript.exe) to trigger PowerShell.exe and bypass system restrictions.

Process hollowing helps hackers avoid detection. In this technique, a genuine program is hijacked to hide the malware, which, in this case, is a legitimate Windows process at "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe.” Its safe code is replaced with a malicious downloader module.

Researchers further noted that this hijack relies on specific system commands to trick the computer. The malware calls CreateProcessA() to open the safe program in a frozen state, uses ZwUnmapViewOfSection() to empty its memory, plants the malicious code with WriteProcessMemory(), and triggers ResumeThread() to force the computer to run the hidden threat.

Once active inside MsBuild.exe, the malware extracts an inner module named “Iwnflr.exe” to initiate the next phase. This file loads the “Eqxcpvgf.Ybrgdoxas” resource via ResourceManager.GetObject().

It then decrypts it using the DES algorithm and decompresses it with Gunzip to assemble a downloader called “Rmiyj.dll”.

This downloader’s task is to establish a connection to a remote C2 server at 77.83.39.211 via port 8443 to send web requests. That’s when the final payload is retrieved. It sends an initial HTTP GET request to the “/ping” endpoint to confirm the server is active, followed by an HTTP POST request to the “/plugin” endpoint to download a fileless PureLogs variant named “zgSGkYYzqVe.dll”. Because of the plugin’s in-memory execution, no traces are left on the physical hard drive.

Large-scale Data Theft

The malware now starts extracting sensitive data, targeting a broad range of browsers, cryptocurrency wallets, and apps. It steals saved login credentials, history, and cookies from Chrome, Firefox, Brave, Vivaldi, and Microsoft Edge, targets crypto wallet files, private keys, and transaction histories from Bitcoin Core, Dogecoin Core, Litecoin Core, Exodus, and Atomic Wallet.

Additionally, the malware grabs Discord authentication tokens and account passwords from Outlook, FileZilla, ProtonVPN, and OpenVPN. However, its final job is to bundle the data with a desktop JPEG screenshot, system information, clipboard data, and the username, serialise the data packet, compress it with GZip, and encrypt it using an AES key.

Now, the encrypted bundle is transmitted to the hackers’ server via HTTP POST requests to the /browser and /discord endpoints. The good aspect is that FortiMail security filters caught these phishing emails and marked the subject line as “virus detected” so that the malicious files couldn’t reach users’ inboxes.

Attack Flow (Source: Fortinet)

To mitigate risks against this evasive campaign, researchers note that organisations should enforce strict email filtering, disable unnecessary script execution, and actively monitor for anomalous PowerShell activity and process hollowing.

Experts’ Perspectives

Several cybersecurity leaders shared their insights with Hackread.com regarding the multi-layered nature of this campaign and the challenges it poses to modern defence strategies.

Jason Soroko, Senior Fellow at Sectigo, pointed out that the campaign demonstrates how threat actors are successfully hiding within normal business activities and system management tools. Soroko noted:

“The campaign relies on process hollowing to inject a .NET downloader into the trusted Windows MSBuild executable, masking it within a heavily used framework component and complicating detection. Once embedded, the downloader contacts a remote command server to retrieve modular plugins, giving the attacker dynamic post-compromise control. Layered encryption combined with legitimate system processes shows a sophisticated approach to data theft that demands equally adaptive, behavior-focused defenses.”

While the execution phase happens on desktop environments, Kern Smith, Senior Vice President of Global Solutions Engineering at Zimperium, warned that security teams must look at the bigger picture across all user devices. Smith stated:

“What makes these attacks effective is not just the malware itself, but the ability to move users from initial engagement to compromise while avoiding detection across devices and environments. Organizations should think beyond traditional endpoint visibility and ensure they can identify suspicious activity early, correlate signals across mobile devices, applications, and endpoints, and rapidly determine whether an alert represents a real incident.”

“As attack paths become more distributed and AI accelerates attacker execution, security teams need AI-empowered security capabilities that reduce investigation time and provide clearer paths from signal to response.”

Since the attack chain depends entirely on someone opening a fake purchase order attachment, the human element remains the primary barrier. Maxime Cartier, Vice President of Human Risk at Hoxhunt, explained that fixing these gaps requires changing how security risks are handled internally:

“Historically, risky behavior and the human element have been linked to up to 90% of breaches, mainly via social engineering and phishing. However, when you look meticulously at recent research, many of the risks and barriers are behavioral, not technical. This creates a significant opportunity for security awareness and Human Risk Management teams to collaborate more closely with vulnerability management teams. We spend a lot of time thinking about how to influence secure behavior at scale. Those same principles apply directly to improving remediation outcomes across the organisation.”