Veil#Drop uses Blogspot to deliver PureLog Stealer
Veil#Drop uses compromised sites, JavaScript and PowerShell to fetch Blogspot-hosted components and deploy PureLog Stealer to harvest browser credentials and other sensitive data.
Security firm Securonix uncovered a multi-stage malware framework called Veil#Drop that retrieves malicious components from attacker-controlled Blogspot pages and deploys an information stealer known as PureLog.
The attack chain starts with a JavaScript file disguised as a document that launches PowerShell while attempting to bypass execution policies. The PowerShell script contacts Blogspot pages controlled by the attackers to download additional components.
Content hosted on Blogspot presents a decoy document to the user, terminates specified processes, decrypts embedded content and generates further Blogspot URLs. Subsequent payloads are fetched and executed directly in memory, reducing on-disk traces.
A second-stage loader contains large embedded data blobs holding XOR-encoded .NET assemblies. These blobs are reconstructed and decrypted at runtime, which complicates static analysis and weakens signature-based detection.
The framework includes fallback mechanisms that abuse legitimate, Microsoft-signed binaries for code execution and defense evasion. Securonix wrote that the adversaries combine compromised websites, filename masquerading, trusted cloud hosting, XOR obfuscation, reflective .NET loading, in-memory execution and abuse of legitimate system binaries to limit forensic artifacts and avoid antivirus detection.
The final payload is PureLog Stealer, a .NET information stealer that collects credentials, cookies, autofill entries, session tokens and browsing histories from Google Chrome, Microsoft Edge, Firefox, Brave, Opera and other Chromium-based browsers.
PureLog also searches infected systems for cryptocurrency wallet information and gathers data from messaging applications, email clients, remote access tools, FTP clients, cloud storage apps, developer tools and password managers. Harvested data is packaged and sent to attacker-controlled servers in encrypted form.
Securonix noted that a single compromised workstation can expose credentials, tokens, keys and other secrets that enable wider compromise. The firm added that information stealers often serve as an initial stage in larger intrusion campaigns, with stolen credentials later used to deploy ransomware, carry out data theft, enable business email compromise or support long-term espionage.
The campaign demonstrates use of a trusted cloud service to host malicious components, a tactic that can undermine reputation-based controls. The use of in-memory execution, obfuscated .NET assemblies and legitimate system binaries reduces visible artifacts and can complicate incident response.
Security teams are advised to monitor for unusual PowerShell activity, inspect scripts that contact cloud hosting platforms, protect credentials and enforce multifactor authentication to limit the impact of exposed secrets.




