VEIL#DROP Campaign Abuses Blogger Pages to Push PureLogs Stealer

Security researchers have identified a new multi-stage malware campaign that uses social engineering and Google’s Blogger platform to distribute PureLogs, an information-stealing malware strain. Secur...

Security researchers have identified a new multi-stage malware campaign that uses social engineering and Google’s Blogger platform to distribute PureLogs, an information-stealing malware strain. Securonix has named the activity VEIL#DROP and says the operation appears designed to blend in with normal web traffic while avoiding detection.

The attack chain reportedly starts with a misleading JavaScript file that looks like a document, such as a file named to resemble a PDF transcript. When opened, the script runs through Windows Script Host and launches PowerShell with security restrictions disabled. From there, the script retrieves the next stage from a Blogger-hosted page, taking advantage of the trust often associated with legitimate cloud services.

According to the researchers, the downloaded content is used to load what appears to be a harmless webpage, such as Google, giving the victim the impression that a document is being opened while the malware continues operating in the background. The end result is the deployment of PureLogs Stealer, a .NET-based tool that can collect sensitive information from infected systems.

How the chain evades detection

Securonix said the loader includes several techniques meant to frustrate security tools and reduce forensic evidence. These include deleting the original script, stopping certain processes, decrypting embedded code, and running malicious components directly in memory instead of writing them to disk.

  • Dynamic generation of Blogger URLs to avoid static blocking
  • Runtime changes to script values to defeat signature matching
  • Reflective loading of .NET payloads for fileless execution
  • Fallback use of trusted Microsoft binaries such as regsvcs.exe and msbuild.exe

The researchers noted that the malware does not rely on just one living-off-the-land binary. Instead, it cycles through multiple trusted tools until one works, helping it appear more legitimate on compromised machines.

Stealer malware like PureLogs can have consequences beyond the initial infection. Once attackers gain access to browser data, credentials, and other information, they may use that material to move deeper into an environment, maintain access, or target connected cloud services.

Securonix described VEIL#DROP as a deliberately stealthy campaign that combines compromised infrastructure, obfuscation, memory-only execution, and trusted system tools to stay under the radar.