Veil#Drop Campaign Uses Blogspot to Deliver Info-Stealing Malware

Security researchers at Securonix uncovered a malware delivery framework that uses Google’s own Blogspot infrastructure to host malicious payloads. They’re calling it Veil#Drop.

The infection chain starts with a JavaScript file pretending to be a document. Click it, and it launches PowerShell code that reaches out to attacker-controlled Blogspot pages for the next stage. Since Blogspot is a trusted Google domain, it tends to fly under the radar.

What you see on screen is a decoy document. Meanwhile, the real payload — XOR-encoded .NET assemblies — gets reconstructed and decrypted in memory. That makes static analysis a nightmare and signature-based detection mostly useless.

The framework chains through multiple fallback mechanisms. It abuses legitimate Microsoft-signed binaries (LOLBINs) for execution and defense evasion. Everything runs in memory. No files hit the disk.

The endgame is PureLog Stealer, a .NET-based information stealer that scrapes credentials, cookies, session tokens, autofill data, and browsing history from Chrome, Edge, Firefox, Brave, Opera, and other Chromium browsers. It also hunts for cryptocurrency wallets, email clients, FTP clients, password managers, and developer tools.

A single infected machine can compromise an entire environment. Info stealers are often the first stage of bigger attacks — ransomware, data theft, business email compromise. The credentials PureLog grabs today could unlock a lot more tomorrow.

The takeaway: treat suspicious JavaScript files with extreme caution, and don’t assume trusted domains like Blogspot are safe just because Google owns them.