[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0Y4eSFk2iZ76owhYSmQhPHTlD8M-TdZ5oVd8dKQXuWI":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"06df43b4-e4c9-447e-9c9a-253fee55ac00","VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer","veil-drop-malware-chain-uses-blogger-platform-to-deliver-purelogs-stealer-d81112","Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs. The activity has been codenamed VEIL#DROP by Securonix. It's suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on","A new malware delivery chain, dubbed VEIL#DROP by Securonix, uses social engineering and Blogger pages to distribute the PureLogs information stealer. The attack begins with a JavaScript file that executes PowerShell with bypasses, which then retrieves a payload from a Blogger URL. This technique abuses Google's infrastructure to evade defenses and blend in with legitimate activity, ultimately deploying the .NET-based PureLogs Stealer.","VEIL#DROP malware chain uses Blogger to deliver PureLogs Stealer via JavaScript and PowerShell.","VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer Ravie LakshmananJul 01, 2026Malware \u002F Cyber Attack Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs. The activity has been codenamed VEIL#DROP by Securonix. It's suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on a website (legitimate or otherwise) under the attacker's control. \"The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled,\" researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. At a high level, the PowerShell script is responsible for retrieving a next-stage payload hosted on Blogger (\"htlwub00klocate.blogspot[.]com\"), allowing the attackers to bypass reputation-based defenses by abusing Google's trusted infrastructure as a stager and to blend in with legitimate web activity. The downloaded PowerShell payload acts as a conduit for loading a benign web page like Google, creating the impression that a PDF document is opened, while the infection sequence proceeds silently in the background, ultimately leading to the deployment of PureLogs Stealer, a .NET-based infostealer known for harvesting a wide array of sensitive data from compromised hosts. The PowerShell loader also attempts to ensure unrestricted execution of follow-up PowerShell commands, terminate selected processes such as \"wscript.exe\" to minimize forensic trail, delete \"transcript.pdf.js\" to eliminate evidence of execution, and decrypt an embedded payload. \"Following successful XOR decryption, the loader transitions into one of the most evasive components of the VEIL#DROP framework: dynamic stage generation combined with runtime mutation,\" Securonix explained. \"Rather than using static indicators such as hard-coded URLs or predictable execution patterns, the malware constructs the next-stage payload location dynamically during execution.\" This involves building a unique blogspot[.]com URL for each execution by inserting a random number of forward slashes (\"\u002F\") to the URL string so as to bypass static URL signatures, indicator-based blocking, and URL-based filtering mechanisms. In addition, the decoded script introduces runtime mutation and polymorphism by replacing placeholder values within the script with randomly generated strings and values during execution. This variability is designed to defeat script signatures and file hashes, thereby preventing reliable detection. The reconstructed script is finally executed entirely in memory without leaving any artifacts on disk. This component functions as a loader responsible for decoding and running the core malware component, which is nothing but a .NET assembly that's launched using a technique known as reflective code loading. In the event security controls and other environmental restrictions prevent it from executing the recovered .NET assemblies directly from memory, the loader incorporates a fallback execution method that relies on Microsoft-signed binaries, such as \"regsvcs.exe,\" \"installutil.exe,\" \"msbuild.exe,\" and \"aspnet_compiler.exe,\" to accomplish the same goals without attracting any attention. Because these binaries are trusted, signed by Microsoft, and are already present on the system, the living-off-the-land (LotL) approach enables the attackers to make their activity appear legitimate and fly under the radar. \"One of the most notable aspects of the loader is that it does not depend on any single LOLBin,\" the researchers pointed out. \"Instead, execution follows a cascading model, attempting each method until one succeeds.\" The impact of a stealer infection typically goes beyond the initially compromised endpoint, as the harvested data can act as a stepping stone to burrow deeper into the target environment, establish persistence, perform lateral movement, and even breach its cloud infrastructure. \"The combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, fileless execution, and LOLBIN abuse demonstrates a deliberate effort to evade traditional antivirus solutions, reduce forensic artifacts, and maintain operational stealth throughout the infection lifecycle,\" Securonix said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Blogger, Infostealer, Malware, Phishing, powershell, Securonix ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fveildrop-malware-chain-uses-blogger.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEj3OuCh7SjXAd7hG_0Q0p__EmpV5MwYh0fOfMZHc1wxRHpsCN9qlonLr93NB6-iJMWJd6nv8VoMqSt9hWW34H7R7tpoGuhkn1mkEL8UgsiUIfNxh9L1Bh0Qpvt0xrX9Pqq6rw1vb-0CEC3KLAT5N7fdlgEHWnYVDyeuUHt2pD59vugSKLaC9n8-LBLoqV0Y\u002Fs1600\u002Fblogger.jpg","2026-07-01T17:18:50+00:00","2026-07-01T20:00:22.749268+00:00",8,[18,21,24,27,29,31],{"name":19,"type":20},"VEIL#DROP","threat_actor",{"name":22,"type":23},"Google","vendor",{"name":25,"type":26},"PowerShell","product",{"name":28,"type":26},"JavaScript",{"name":30,"type":26},"PureLogs Stealer",{"name":32,"type":33},"Living-off-the-Land (LotL)","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":34,"icon":36,"name":37,"slug":38},null,"Malware","malware",[40,45,47],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":46},{"id":34,"icon":36,"name":37,"slug":38},{"category":48},{"id":49,"icon":36,"name":50,"slug":51},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[53,57],{"type":54,"value":55,"context":56},"domain","htlwub00klocate.blogspot[.]com","Blogger domain used for hosting next-stage payloads.",{"type":38,"value":30,"context":58},"Information stealer deployed by the VEIL#DROP malware chain."]