Securonix Uncovers VEILDROP Malware Campaign Using Blogger To Deliver PureLogs Stealer

Published:

Cybersecurity researchers at Securonix have identified a new multi stage malware campaign, named VEILDROP, that uses social engineering techniques and Google’s Blogger platform to deliver the PureLogs information stealer. According to the researchers, the attack chain relies on a combination of spear phishing campaigns or drive by compromise techniques to gain an initial foothold on victim systems. In a drive by compromise scenario, users become infected simply by visiting a website under the attacker’s control, whether the site is malicious or a legitimate website that has been compromised. The campaign demonstrates how threat actors continue to abuse trusted online platforms to bypass conventional security controls while disguising malicious activity as normal web traffic. Researchers found that the attack uses multiple layers of obfuscation, fileless execution methods and trusted Windows components to reduce forensic evidence and avoid detection by traditional antivirus solutions.

According to Securonix, the infection begins with a JavaScript file disguised as a legitimate document, using filenames such as transcript.pdf.js to convince users that they are opening a harmless PDF file. When executed through Windows Script Host, the script launches PowerShell with execution policy restrictions disabled, allowing it to retrieve an additional payload hosted on a Blogger page. By abusing Blogger as a staging platform, attackers benefit from Google’s trusted infrastructure, making malicious network activity appear more legitimate and reducing the likelihood of reputation based security systems blocking the connection. The downloaded PowerShell payload simultaneously opens a legitimate webpage, such as Google, to create the illusion that the expected document has been displayed while the malware continues operating silently in the background. During execution, the loader attempts to remove traces of the infection by terminating selected processes, including wscript.exe, deleting the original JavaScript file used in the attack and preparing additional encrypted payloads for execution. Its primary objective is to deploy PureLogs Stealer, a .NET based information stealing malware capable of collecting a broad range of sensitive information from compromised systems.

Researchers explained that one of the campaign’s most notable characteristics is its use of dynamic stage generation and runtime mutation to evade detection. After decrypting embedded components through XOR based techniques, the malware avoids relying on fixed indicators by constructing its next stage download location dynamically during execution. Instead of using a static Blogger address, it generates unique blogspot URLs by inserting varying numbers of forward slashes into the address, allowing it to bypass static URL signatures, filtering mechanisms and indicator based blocking technologies. The malware also modifies itself during runtime by replacing placeholder values with randomly generated strings and variables, introducing polymorphic behavior that changes its appearance during every execution. This approach makes traditional file hash matching and script signature detection significantly less effective. Once reconstructed, the next stage executes entirely in memory without writing files to disk. The malware then uses reflective code loading to launch a .NET assembly directly from memory, further minimizing forensic artifacts that could assist incident responders during investigations.

Securonix also observed that the malware includes multiple fallback execution techniques to ensure successful deployment even when security products prevent direct in memory execution. Rather than depending on a single Microsoft signed utility, the loader follows a cascading execution model that sequentially attempts several trusted Windows binaries, including regsvcs.exe, installutil.exe, msbuild.exe and aspnet_compiler.exe, until one successfully launches the malicious payload. This living off the land approach enables attackers to abuse legitimate software already present on Windows systems, helping malicious activity blend with normal operating system processes while avoiding unnecessary attention. Researchers noted that the consequences of a PureLogs infection extend well beyond the initially compromised endpoint because stolen credentials and other sensitive information can provide attackers with opportunities to establish persistence, move laterally across enterprise environments and potentially access connected cloud infrastructure. According to Securonix, the combination of compromised websites, deceptive file naming, trusted cloud services, XOR obfuscation, reflective .NET loading, fileless execution and extensive abuse of legitimate Windows utilities demonstrates a carefully designed effort to remain hidden throughout the entire infection lifecycle while reducing opportunities for conventional security tools to detect or interrupt the attack.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem. 

Related articles

spot_img