[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhIvXZlJvbKAAA-KIsczEo-5QtMMTtCfabNl66d-5EpM":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":23,"created_at":24,"published_at":25,"article":26,"tags":30,"podcasts":49},"40251797-893e-4afb-8db3-1758d3420cfc","veildrop-abuses-google-blogger-to-deliver-purelogs-stealer-via-social-engineering","06df43b4-e4c9-447e-9c9a-253fee55ac00","VEIL#DROP Abuses Google Blogger to Deliver PureLogs Stealer via Social Engineering","The VEIL#DROP campaign exploits trusted cloud infrastructure — specifically Google's Blogger platform — to host and deliver malicious payloads, effectively bypassing domain reputation and network-based defenses. The attack chain begins with a socially engineered JavaScript file that executes PowerShell with security bypasses, demonstrating how user interaction with untrusted files remains a critical entry point. By blending malicious traffic with legitimate Google service communications, the attackers make detection significantly harder for traditional security tools. This matters because even well-defended organizations may inadvertently allowlist traffic to Google's infrastructure, creating a blind spot that sophisticated threat actors actively exploit.","**Immediate actions:**\n- Block or heavily scrutinize PowerShell execution policies and alert on any use of execution bypass flags (e.g., `-ExecutionPolicy Bypass`) in endpoint security tooling.\n- Apply application control policies to prevent untrusted JavaScript files from executing outside sanctioned browsers or runtime environments.\n- Review proxy and firewall rules to inspect and log outbound requests to blogging platforms and generic cloud hosting services for anomalous payload patterns.\n\n**Long-term improvements:**\n- Implement a robust security awareness training program that specifically covers social engineering lures delivered via JavaScript or Office-adjacent files.\n- Enforce the principle of least privilege so that standard user accounts cannot invoke PowerShell or download and execute remote payloads without escalation.\n- Develop and maintain an approved-applications allowlist to prevent unapproved scripting runtimes and interpreters from running on endpoints.\n\n**Detection measures:**\n- Deploy SIEM rules to correlate PowerShell spawning from browser or email processes with subsequent outbound HTTP\u002FS requests to cloud blogging domains.\n- Enable script-block logging and PowerShell transcription logging on all endpoints and forward logs to a centralized SIEM for real-time alerting.\n- Use DNS filtering solutions to flag or block requests to known content-hosting platforms when initiated by non-browser processes.",[12,13,14,15,16,17,18,19,20,21,22],"CIS Control 2 – Inventory and Control of Software Assets","CIS Control 9 – Email and Web Browser Protections","CIS Control 10 – Malware Defenses","CIS Control 8 – Audit Log Management","NIST SP 800-53 SI-3 – Malicious Code Protection","NIST SP 800-53 AC-6 – Least Privilege","NIST SP 800-53 AU-2 – Audit Events","NIST SP 800-53 SC-7 – Boundary Protection","MITRE ATT&CK T1059.001 – PowerShell","MITRE ATT&CK T1105 – Ingress Tool Transfer","MITRE ATT&CK T1566 – Phishing (Social Engineering Initial Access)","published","2026-07-01T20:22:01.52161+00:00","2026-07-01T20:22:01.214+00:00",{"id":7,"url":27,"slug":28,"title":29},"https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fveildrop-malware-chain-uses-blogger.html","veil-drop-malware-chain-uses-blogger-platform-to-deliver-purelogs-stealer-d81112","VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer",[31,37,43],{"id":32,"name":33,"slug":34,"description":35,"color":36},"1732a005-556e-411c-a9db-5edec3058571","Logging & Monitoring","logging-monitoring","Missing logs, no alerting, blind spots","#a855f7",{"id":38,"name":39,"slug":40,"description":41,"color":42},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":44,"name":45,"slug":46,"description":47,"color":48},"859cf0ad-a7e9-42bb-a75d-bac6511fa5d5","Configuration Management","configuration-management","Misconfigs, default credentials, exposed services","#eab308",[]]