Trusted Google Infrastructure Abused in Multi-Stage Campaign
Security researchers have uncovered a sophisticated malware delivery operation that weaponizes Blogspot, Google’s long-standing blogging platform, to distribute information-stealing payloads. Dubbed Veil#Drop attacks, the campaign uses compromised websites and social engineering lures to infect victims with PureLog Stealer, a .NET-based credential thief.
Analysts at Securonix detailed the framework in a new report, describing a multi-stage chain that blends JavaScript, PowerShell, and fileless execution techniques. The goal: slip past traditional antivirus and leave minimal forensic traces.
How the Infection Chain Unfolds
The attack starts with a JavaScript file that masquerades as a legitimate document. When a victim opens it, the script launches PowerShell code, bypassing execution policies that would normally block such activity.
That PowerShell acts as a download cradle. It reaches out to attacker-controlled Blogspot pages to pull down the next stage. Because Blogspot sits on Google’s trusted infrastructure, the traffic often blends in with normal web activity.
Once retrieved, the Blogspot-hosted payload does three things: it displays a decoy document to keep the victim occupied, terminates certain running processes, and decrypts embedded content. The decoded code then generates additional Blogspot URLs and executes further payloads directly in memory — nothing touches the hard drive.
Fileless Execution and XOR Obfuscation
A second-stage loader contains XOR-encoded .NET assemblies stored as large embedded data blobs. According to Securonix, these are “reconstructed and decrypted at runtime, preventing straightforward static analysis and reducing the effectiveness of signature-based detection mechanisms.”
The chain also includes fallback mechanisms and abuses LOLBINs — legitimate Microsoft-signed binaries — for code execution and defense evasion. This layered approach makes it harder for endpoint protection to spot the malicious activity.
PureLog Stealer: What It Takes
By the end of the infection, the victim’s machine runs PureLog Stealer. This .NET-based malware performs system reconnaissance and then starts harvesting data from browsers including Google Chrome, Microsoft Edge, Firefox, Brave, Opera, and any Chromium-based browser.
Its targets are broad: credentials, cookies, autofill data, session tokens, browsing histories, and cryptocurrency wallet information. Beyond browsers, PureLog Stealer can also pillage messaging apps, email clients, remote access tools, FTP clients, cloud storage software, developer utilities, and password managers.
All stolen data is packaged and sent to attacker-controlled servers in encrypted form.
Enterprise Risk: More Than Just Stolen Passwords
The danger goes beyond a single compromised workstation. PureLog Stealer’s reach means a single infection can yield credentials, tokens, and keys that unlock larger parts of an organization’s network.
“In enterprise environments, information stealers are frequently the first stage of larger intrusion campaigns,” Securonix warns. “Stolen credentials may later be used to deploy ransomware, conduct data theft operations, perform business email compromise attacks, or facilitate long-term espionage activities.”
This makes Veil#Drop attacks a concern for security teams already stretched thin. The combination of trusted platforms, fileless execution, and multi-stage payloads demands detection strategies that go beyond signature matching.
Defending Against Blogspot-Based Malware Delivery
Organizations can reduce exposure by restricting PowerShell execution policies where possible and monitoring for anomalous outbound connections to cloud platforms like Blogspot. Behavioral detection tools that spot in-memory execution patterns offer another layer of defense.
User education also matters. The initial JavaScript lure relies on someone opening an attachment they weren’t expecting. A healthy dose of skepticism — and a clear policy on unsolicited documents — can stop the chain before it starts.
For more on related threats, see our coverage of the CryptoBandits malware doubling as a backdoor and the Rokarolla banking Trojan targeting 200 applications.