Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks

Securonix says the sophisticated framework abuses compromised websites, Blogspot, PowerShell, and fileless techniques to evade detection and deploy the PureLog information stealer.

Securonix has uncovered a sophisticated multi-stage malware delivery framework that uses compromised websites and social engineering to infect users with information stealers.

Dubbed Veil#Drop, the framework combines JavaScript launchers and PowerShell download cradles for the deployment and execution of malware hosted on Blogspot, Google’s trusted infrastructure.

The infection chain begins with a JavaScript file posing as a document, designed to launch PowerShell code and evade execution policies. The PowerShell retrieves additional payloads from attacker-controlled Blogspot pages.

The Blogspot-hosted payload displays a decoy document, terminates specific processes, and decrypts embedded content. The decoded code generates additional Blogspot URLs and executes subsequent payloads directly in memory.

“A second-stage loader contains XOR-encoded .NET assemblies stored as large embedded data blobs that are reconstructed and decrypted at runtime, preventing straightforward static analysis and reducing the effectiveness of signature-based detection mechanisms,” Securonix explains.

The sophisticated infection chain also contains several fallback mechanisms, abusing trusted Microsoft-signed binaries for code execution and defense evasion.

Advertisement. Scroll to continue reading.

“The combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, fileless execution, and LOLBIN abuse demonstrates a deliberate effort to evade traditional antivirus solutions, reduce forensic artifacts, and maintain operational stealth throughout the infection lifecycle,” Securonix notes.

In the end, the victim’s machine is infected with PureLog Stealer, a .NET-based information stealer that performs system reconnaissance and starts harvesting data from Google Chrome. Microsoft Edge, Firefox, Brave Browser, Opera, and Chromium-based browsers.

The malware targets credentials, cookies, autofill data, session tokens, browsing histories, and other sensitive information stored in the browsers. It also searches for cryptocurrency wallet information on the victim’s machine.

Additionally, PureLog Stealer can harvest information from messaging applications, email clients, remote access software, FTP clients, cloud storage applications, developer tools, and password managers. The malware packages the harvested information and sends it to attacker-controlled servers in an encrypted form.

Given PureLog Stealer’s extensive data harvesting capabilities, a single infected workstation could lead to broader environment compromise, depending on the credentials, tokens, keys, and other secrets stored on the system.

“In enterprise environments, information stealers are frequently the first stage of larger intrusion campaigns. Stolen credentials may later be used to deploy ransomware, conduct data theft operations, perform business email compromise attacks, or facilitate long-term espionage activities,” Securonix notes.

Related: Critical SimpleHelp Vulnerability Exploited for Malware Delivery

Related: CryptoBandits Malware Doubles as a Backdoor, Abuses Tor

Related: Rokarolla Banking Trojan Targets 200 Applications

Related: Infostealers Turn Millions of Devices Into Credential Theft Machines

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.