Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks
Veil#Drop framework uses Blogspot and fileless techniques to deploy PureLog Stealer.
Summary
Securonix has identified a sophisticated malware delivery framework named Veil#Drop that leverages compromised websites and social engineering. The framework utilizes Blogspot for hosting payloads, JavaScript launchers, and PowerShell to execute malware filelessly, evading traditional detection methods. The ultimate goal is to deploy the PureLog Stealer, which harvests sensitive data from browsers, messaging apps, and other software, potentially leading to broader network compromise.
Full text
Securonix has uncovered a sophisticated multi-stage malware delivery framework that uses compromised websites and social engineering to infect users with information stealers. Dubbed Veil#Drop, the framework combines JavaScript launchers and PowerShell download cradles for the deployment and execution of malware hosted on Blogspot, Google’s trusted infrastructure. The infection chain begins with a JavaScript file posing as a document, designed to launch PowerShell code and evade execution policies. The PowerShell retrieves additional payloads from attacker-controlled Blogspot pages. The Blogspot-hosted payload displays a decoy document, terminates specific processes, and decrypts embedded content. The decoded code generates additional Blogspot URLs and executes subsequent payloads directly in memory. “A second-stage loader contains XOR-encoded .NET assemblies stored as large embedded data blobs that are reconstructed and decrypted at runtime, preventing straightforward static analysis and reducing the effectiveness of signature-based detection mechanisms,” Securonix explains. The sophisticated infection chain also contains several fallback mechanisms, abusing trusted Microsoft-signed binaries for code execution and defense evasion.Advertisement. Scroll to continue reading. “The combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, fileless execution, and LOLBIN abuse demonstrates a deliberate effort to evade traditional antivirus solutions, reduce forensic artifacts, and maintain operational stealth throughout the infection lifecycle,” Securonix notes. In the end, the victim’s machine is infected with PureLog Stealer, a .NET-based information stealer that performs system reconnaissance and starts harvesting data from Google Chrome. Microsoft Edge, Firefox, Brave Browser, Opera, and Chromium-based browsers. The malware targets credentials, cookies, autofill data, session tokens, browsing histories, and other sensitive information stored in the browsers. It also searches for cryptocurrency wallet information on the victim’s machine. Additionally, PureLog Stealer can harvest information from messaging applications, email clients, remote access software, FTP clients, cloud storage applications, developer tools, and password managers. The malware packages the harvested information and sends it to attacker-controlled servers in an encrypted form. Given PureLog Stealer’s extensive data harvesting capabilities, a single infected workstation could lead to broader environment compromise, depending on the credentials, tokens, keys, and other secrets stored on the system. “In enterprise environments, information stealers are frequently the first stage of larger intrusion campaigns. Stolen credentials may later be used to deploy ransomware, conduct data theft operations, perform business email compromise attacks, or facilitate long-term espionage activities,” Securonix notes. Related: Critical SimpleHelp Vulnerability Exploited for Malware Delivery Related: CryptoBandits Malware Doubles as a Backdoor, Abuses Tor Related: Rokarolla Banking Trojan Targets 200 Applications Related: Infostealers Turn Millions of Devices Into Credential Theft Machines Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Alleged Scattered Spider Hacker Extradited to USGoogle, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of DevicesCritical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code ExecutionNew CitrixBleed Vulnerability Exploited Immediately After Public DisclosureFortiBleed Campaign Linked to INC, Lynx Ransomware AttacksCisco Confirms In-the-Wild Exploitation of Unified CM Vulnerability‘BioShocking’ Attack Tricks AI Browsers Into Stealing CredentialsCISA Warns of Actively Exploited Microsoft SharePoint Vulnerability Latest News The Shift Toward Business-Aligned Risk ManagementArmored Likho APT Targeting Government, Electric Power EntitiesNorth Korean Hackers Target Open Source Developers in Supply Chain Attacks Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access VulnerabilityPrompt Injection Attacks Trick AI Agents Into Making Crypto PaymentsIn Other News: Canadian Hacker Jailed, Open Source Zero-Days, Two Sentenced for ATM JackpottingAgentic AI Used to Conduct Ransomware Attack via LangflowMedtronic Data Breach Impacts 3.8 Million People Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveJames Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.Rafal Los has joined Binary Defense as Chief Strategy Officer.Tracey Mustacchio has joined Everfox as Chief Marketing Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email