Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer

The Hacker News by The Hacker News
July 1, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs.

The activity has been codenamed VEIL#DROP by Securonix. It’s suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on a website (legitimate or otherwise) under the attacker’s control.

“The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.

At a high level, the PowerShell script is responsible for retrieving a next-stage payload hosted on Blogger (“htlwub00klocate.blogspot[.]com”), allowing the attackers to bypass reputation-based defenses by abusing Google’s trusted infrastructure as a stager and to blend in with legitimate web activity.

The downloaded PowerShell payload acts as a conduit for loading a benign web page like Google, creating the impression that a PDF document is opened, while the infection sequence proceeds silently in the background, ultimately leading to the deployment of PureLogs Stealer, a .NET-based infostealer known for harvesting a wide array of sensitive data from compromised hosts.

The PowerShell loader also attempts to ensure unrestricted execution of follow-up PowerShell commands, terminate selected processes such as “wscript.exe” to minimize forensic trail, delete “transcript.pdf.js” to eliminate evidence of execution, and decrypt an embedded payload.

“Following successful XOR decryption, the loader transitions into one of the most evasive components of the VEIL#DROP framework: dynamic stage generation combined with runtime mutation,” Securonix explained. “Rather than using static indicators such as hard-coded URLs or predictable execution patterns, the malware constructs the next-stage payload location dynamically during execution.”

This involves building a unique blogspot[.]com URL for each execution by inserting a random number of forward slashes (“https://thehackernews.com/”) to the URL string so as to bypass static URL signatures, indicator-based blocking, and URL-based filtering mechanisms.

In addition, the decoded script introduces runtime mutation and polymorphism by replacing placeholder values within the script with randomly generated strings and values during execution. This variability is designed to defeat script signatures and file hashes, thereby preventing reliable detection.

The reconstructed script is finally executed entirely in memory without leaving any artifacts on disk. This component functions as a loader responsible for decoding and running the core malware component, which is nothing but a .NET assembly that’s launched using a technique known as reflective code loading.

In the event security controls and other environmental restrictions prevent it from executing the recovered .NET assemblies directly from memory, the loader incorporates a fallback execution method that relies on Microsoft-signed binaries, such as “regsvcs.exe,” “installutil.exe,” “msbuild.exe,” and “aspnet_compiler.exe,” to accomplish the same goals without attracting any attention.

Because these binaries are trusted, signed by Microsoft, and are already present on the system, the living-off-the-land (LotL) approach enables the attackers to make their activity appear legitimate and fly under the radar.

“One of the most notable aspects of the loader is that it does not depend on any single LOLBin,” the researchers pointed out. “Instead, execution follows a cascading model, attempting each method until one succeeds.”

The impact of a stealer infection typically goes beyond the initially compromised endpoint, as the harvested data can act as a stepping stone to burrow deeper into the target environment, establish persistence, perform lateral movement, and even breach its cloud infrastructure.

“The combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, fileless execution, and LOLBIN abuse demonstrates a deliberate effort to evade traditional antivirus solutions, reduce forensic artifacts, and maintain operational stealth throughout the infection lifecycle,” Securonix said.



Source link

The Hacker News

The Hacker News

Next Post
Warsh faces multiple alternative inflation signs as Fed charts new course

Warsh faces multiple alternative inflation signs as Fed charts new course

Recommended.

Chatbots Are Pushing Sanctioned Russian Propaganda

Chatbots Are Pushing Sanctioned Russian Propaganda

October 27, 2025
Huawei’s Yang Chaobin on Building a Better Intelligent World with 5G-A and U6GHz

Huawei’s Yang Chaobin on Building a Better Intelligent World with 5G-A and U6GHz

March 11, 2026

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio