VYPR
researchPublished Jul 1, 2026· 1 source

Veil#Drop Campaign Abuses Google Blogspot for Fileless PureLog Stealer Deployment

A new fileless malware campaign dubbed Veil#Drop leverages Google's Blogspot platform to distribute the PureLog Stealer, evading traditional defenses by executing entirely in memory.

A sophisticated fileless malware campaign, identified by Securonix Threat Research as Veil#Drop, is actively exploiting Google's Blogspot platform to deliver the PureLog Stealer infostealer. This novel approach allows attackers to steal sensitive credentials and data directly from a victim's memory, significantly reducing the digital footprint left on disk and bypassing conventional file-based detection mechanisms.

The attack chain begins when a victim interacts with a malicious file disguised as a document on a compromised website. Due to Windows' default behavior of hiding known file extensions, this file appears innocuous, such as a PDF. However, it is actually a script designed to execute via the Windows Script Host, which in turn launches PowerShell with security features disabled. This initial compromise is the gateway for the subsequent stages of the attack.

Once PowerShell is active, it proceeds to fetch subsequent attack stages directly from attacker-controlled Blogspot pages. Crucially, these stages are executed entirely in memory, meaning no malicious files are written to the victim's hard drive. The use of Google's legitimate infrastructure for hosting these payloads helps the malicious traffic blend seamlessly with normal web activity, making it more likely to evade reputation-based security defenses.

To further obscure its operations, the Veil#Drop campaign employs custom XOR encoding for its payloads. These encoded contents are only decoded at runtime, adding another layer of obfuscation. The researchers observed that the final loader reconstructs two .NET assemblies from this encoded data and loads them directly into memory using reflection, a technique that prevents antivirus software from scanning any executable files.

Should the primary delivery path be blocked, Veil#Drop has a fallback mechanism. It attempts to execute its payload using trusted, Microsoft-signed binaries, often referred to as Living Off The Land Binaries (LOLBINS). Utilities such as RegSvcs, InstallUtil, and MSBuild are cycled through until one successfully executes the malicious code. Because these are legitimate system utilities, their use can often bypass application control and allowlisting security policies.

Upon successful execution, the PureLog Stealer commences its data-gathering operations. It goes beyond simple credential theft, actively scanning the compromised system for browser passwords, session cookies, autofill data, cryptocurrency wallet information, and general host details. The theft of session cookies is particularly concerning, as it can allow attackers to bypass multi-factor authentication (MFA) by hijacking active user sessions.

Securonix highlights that the operators behind such information-stealing malware typically sell the harvested credentials on underground marketplaces. This provides other threat actors with access to compromised accounts and environments, potentially leading to further downstream attacks. The company advises security defenders to focus on monitoring for the behavioral indicators associated with Veil#Drop, such as PowerShell connections to Blogspot or the spawning of .NET utilities, rather than relying solely on static file signatures.

The Veil#Drop campaign exemplifies the ongoing trend of threat actors leveraging legitimate cloud services and fileless techniques to conduct stealthy and effective attacks. Its multi-stage delivery, in-memory execution, and use of LOLBINS present a significant challenge for traditional security solutions, underscoring the need for advanced threat detection capabilities that focus on behavior and process anomalies.

Synthesized by Vypr AI