Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs.

The activity has been codenamed VEIL#DROP by Securonix. It’s suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on a website (legitimate or otherwise) under the attacker’s control.

“The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.

At a high level, the PowerShell script is responsible for retrieving a next-stage payload hosted on Blogger (“htlwub00klocate.blogspot[.]com”), allowing the attackers to bypass reputation-based defenses by abusing Google’s trusted infrastructure as a stager and to blend in with legitimate web activity.

The downloaded PowerShell payload acts as a conduit for loading a benign web page like Google, creating the impression that a PDF document is opened, while the infection sequence proceeds silently in the background, ultimately leading to the deployment of PureLogs Stealer, a .NET-based infostealer known for harvesting a wide array of sensitive data from compromised hosts.

The PowerShell loader also attempts to ensure unrestricted execution of follow-up PowerShell commands, terminate selected processes such as “wscript.exe” to minimize forensic trail, delete “transcript.pdf.js” to eliminate evidence of execution, and decrypt an embedded payload.

“Following successful XOR decryption, the loader transitions into one of the most evasive components of the VEIL#DROP framework: dynamic stage generation combined with runtime mutation,” Securonix explained. “Rather than using static indicators such as hard-coded URLs or predictable execution patterns, the malware constructs the next-stage payload location dynamically during execution.”

This involves building a unique blogspot[.]com URL for each execution by inserting a random number of forward slashes (“https://thehackernews.com/”) to the URL string so as to bypass static URL signatures, indicator-based blocking, and URL-based filtering mechanisms.

In addition, the decoded script introduces runtime mutation and polymorphism by replacing placeholder values within the script with randomly generated strings and values during execution. This variability is designed to defeat script signatures and file hashes, thereby preventing reliable detection.

The reconstructed script is finally executed entirely in memory without leaving any artifacts on disk. This component functions as a loader responsible for decoding and running the core malware component, which is nothing but a .NET assembly that’s launched using a…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 1, 2026