Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Anthropic’s Fable 5 and Mythos 5 Are Back with New Security Guardrails

July 1, 2026

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

July 1, 2026

Veil#Drop Uses Google Blogspot to Deploy PureLog Stealer

July 1, 2026
Facebook X (Twitter) Instagram
Wednesday, July 1
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Veil#Drop Uses Google Blogspot to Deploy PureLog Stealer
News

Veil#Drop Uses Google Blogspot to Deploy PureLog Stealer

Team-CWDBy Team-CWDJuly 1, 2026No Comments2 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A fileless malware framework has been abusing Google’s Blogspot platform to deliver the PureLog Stealer entirely in memory, letting attackers steal credentials while leaving few traces on disk.

Securonix Threat Research, which named the framework Veil#Drop, said the campaign chains together compromised websites, a booby-trapped JavaScript file and PowerShell to reach its target.

PureLog Stealer is a known .NET infostealer, but the multi-stage delivery route is what sets this operation apart.

A Fileless Chain Built to Evade Detection

The attack begun when a victim on a compromised website opened a file masquerading as a document. Because Windows hides known extensions by default, it appeared to be a PDF, but it was actually a script that Windows Script Host runs, launching PowerShell with security checks disabled.

From there, PowerShell fetched its next stages directly from attacker-controlled Blogspot pages and run them in memory, without writing any files to disk.

The firm said hosting the payloads on Google-owned infrastructure let the traffic blend in with normal web activity and slip past reputation-based defenses.

Read more on PureLogs delivery: PureLogs Variant Steals Data via Purchase Order Lures

The later stages hid their contents behind custom XOR encoding and only decoded at runtime. The researchers said the final loader rebuilt two .NET assemblies from encoded data and loaded them straight into memory using reflection, so no executable was ever dropped for antivirus to scan.

To ensure the payload run even when that path is blocked, Veil#Drop falled back on trusted Microsoft-signed binaries or LOLBINs, cycling through utilities such as RegSvcs, InstallUtil and MSBuild until one succeeded.

Because these binaries are legitimate parts of the .NET framework, the activity often slipped past application-control and allowlisting rules.

What PureLog Steals

Once running, PureLog Stealer went beyond simple credential theft, sweeping the machine for browser passwords, cookies, autofill data, cryptocurrency wallets and details of the host itself.

Securonix warned that stolen session cookies can let attackers bypass multi-factor authentication (MFA) by reusing a victim’s logged-in session.

“In many cases, the operators behind information-stealing malware sell harvested credentials through underground marketplaces, allowing other threat actors to purchase access to compromised accounts and environments,” the company explained.

Securonix also urged defenders to watch for the behavior behind Veil#Drop, such as PowerShell reaching out to Blogspot or spawning .NET utilities, rather than relying solely on static indicators.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleChrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability
Next Article Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
Team-CWD
  • Website

Related Posts

News

Anthropic’s Fable 5 and Mythos 5 Are Back with New Security Guardrails

July 1, 2026
News

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

July 1, 2026
News

Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability

July 1, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Why geopolitical turmoil is a gift for scammers, and how to stay safe

May 15, 2026

A quick guide to recovering a hacked account

March 21, 2026

Why children’s data is a long-term identity risk

June 3, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.