VEIL#DROP Malware Chain Uses Blogger to Deliver PureLogs Stealer
What happened
Cybersecurity researchers identified a new multi-stage malware delivery chain called VEIL#DROP that uses social engineering and Blogger pages to deliver the PureLogs information stealer.
Securonix researchers said the initial payloads are suspected to be distributed through spear-phishing or drive-by compromise. The attack begins with a JavaScript file disguised as a document, using a name such as transcript.pdf.js.
When executed through Windows Script Host, the file launches PowerShell with execution policy bypasses enabled.
The PowerShell script retrieves a next-stage payload from a Blogger page hosted on Google’s infrastructure. By using Blogger as a staging platform, the attackers can make malicious traffic appear more like legitimate web activity and potentially bypass reputation-based defenses.
The downloaded PowerShell payload opens a benign web page such as Google to make the victim believe a PDF document has opened. Meanwhile, the infection chain continues silently in the background.
The loader then works to reduce evidence of execution. It attempts to allow unrestricted PowerShell execution, terminates selected processes such as wscript.exe, deletes the original transcript.pdf.js lure, and decrypts an embedded payload.
After XOR decryption, the malware dynamically constructs the next-stage payload location. It inserts a random number of forward slashes into a Blogspot URL during execution, creating a unique URL pattern each time and making static URL signatures less reliable.
The decoded script also mutates at runtime by replacing placeholders with randomly generated strings and values. This polymorphic behavior is designed to defeat script signatures and file hash-based detection.
The next component executes entirely in memory and loads the core malware as a .NET assembly through reflective code loading.
If direct in-memory execution fails, the loader falls back to Microsoft-signed living-off-the-land binaries, including regsvcs.exe, installutil.exe, msbuild.exe, and aspnet_compiler.exe. The malware attempts these execution paths in a cascading sequence until one succeeds.
The final payload is PureLogs Stealer, a .NET-based information stealer designed to harvest sensitive data from compromised systems.
Who is affected
Windows users are affected if they receive and execute the disguised JavaScript lure or land on a compromised site that initiates the infection chain.
Organizations may be affected if employees open document-themed JavaScript files, especially files using double extensions such as transcript.pdf.js.
The risk is especially relevant to environments where PowerShell, Windows Script Host, and trusted Microsoft utilities can run without strong monitoring or restrictions.
Because PureLogs Stealer can harvest sensitive data, compromised endpoints may expose credentials, browser data, tokens, cloud access, or other information that can support follow-on compromise.
Why CISOs should care
VEIL#DROP shows how attackers are combining familiar social engineering with layered evasion. A fake document lure launches PowerShell, abuses Blogger for staging, mutates execution patterns at runtime, and loads malware in memory to avoid traditional file-based detection.
For CISOs, the Blogger abuse is important because trusted cloud and web platforms can make malicious staging traffic harder to block by reputation alone. Traffic to a Google-owned platform may not stand out unless defenders inspect behavior and context.
The use of polymorphism and dynamic URL generation also weakens static indicators. Each execution can look slightly different, making simple hash, URL, and script signatures less dependable.
The living-off-the-land fallback chain adds another layer of concern. Even if one execution path fails, the malware can attempt multiple Microsoft-signed binaries that are already present on Windows systems and may appear legitimate in isolation.
3 practical actions
Block risky script execution from user folders: VEIL#DROP begins with a JavaScript file disguised as a PDF. CISOs should restrict Windows Script Host abuse, block double-extension document lures, and alert on JavaScript files launching PowerShell.
Monitor Blogger and trusted-platform staging behavior: The malware retrieves payloads from Blogger to blend with legitimate activity. Security teams should watch for unusual PowerShell web requests to Blogspot or other trusted platforms that are not normally used in business workflows.
Hunt for fileless loading and LOLBin fallback execution: The loader uses in-memory .NET execution and can fall back to regsvcs.exe, installutil.exe, msbuild.exe, and aspnet_compiler.exe. Defenders should monitor suspicious parent-child process relationships, reflective .NET loading, PowerShell execution policy bypasses, and unexpected use of Microsoft-signed binaries.
Read more about how threat actors are using different attack methods to deliver malware, steal credentials, and compromise victims across multiple environments:


