Full Report
Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs. The activity has been codenamed VEIL#DROP by Securonix. It's suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on
Analysis Summary
# Tool/Technique: VEIL#DROP (PureLogs Stealer)
## Overview
VEIL#DROP is a sophisticated, multi-stage malware delivery framework designed to deploy the **PureLogs** information stealer. It leverages social engineering, abuses legitimate cloud infrastructure (Google Blogger), and employs advanced evasion techniques such as runtime mutation and reflective code loading to bypass security controls.
## Technical Details
- **Type:** Malware delivery chain (Loader) / Information Stealer (PureLogs)
- **Platform:** Windows
- **Capabilities:** Evades static/behavioral detection, reflective loading, fileless execution, and sensitive data exfiltration.
- **First Seen:** Reported July 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing] (Spear-phishing suspected)
- [T1189 - Drive-by Compromise]
- **[TA0002 - Execution]**
- [T1059.001 - PowerShell]
- [T1059.007 - JavaScript/JScript]
- [T1204.002 - Malicious File]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information] (XOR and runtime mutation)
- [T1620 - Reflective Code Loading]
- [T1218 - System Binary Proxy Execution] (regsvcs.exe, installutil.exe, etc.)
- [T1102.001 - Web Service: Dead Drop Resolver] (Blogger Pages)
- [T1070.004 - File Deletion]
- **[TA0009 - Collection]**
- [T1539 - Steal Web Session Cookie]
- [T1555 - Credentials from Web Browsers]
## Functionality
### Core Capabilities
- **Multi-Extension Masquerading:** Uses files like `transcript.pdf.js` to trick users into executing JavaScript via Windows Script Host (WSH).
- **Abuse of Trusted Infrastructure:** Uses `blogspot.com` to host next-stage PowerShell payloads, blending in with legitimate traffic.
- **Data Exfiltration:** PureLogs targets browser credentials, session cookies, and other sensitive system information.
### Advanced Features
- **Dynamic Stage Generation:** Constructs C2 URLs at runtime with a random number of forward slashes to bypass static URL filtering and signatures.
- **Runtime Mutation/Polymorphism:** Replaces script placeholders with random strings during execution, rendering file hash-based detection ineffective.
- **Cascading Fallback Execution:** If reflective memory loading fails, the loader attempts to use a series of Microsoft-signed **LOLBins** (`regsvcs.exe`, `installutil.exe`, `msbuild.exe`, `aspnet_compiler.exe`) until execution succeeds.
- **Anti-Forensics:** Terminating `wscript.exe` processes and deleting the initial dropper child files to leave a minimal footprint.
## Indicators of Compromise
- **File Names:** `transcript.pdf.js` (and similar document-impersonating names)
- **Network Indicators:**
- `htlwub00klocate.blogspot[.]com`
- `blogspot[.]com` (patterns involving varying numbers of forward slashes)
- **Behavioral Indicators:**
- Unexpected `powershell.exe` execution with `-ExecutionPolicy Bypass`.
- Legitimate signed binaries (e.g., `InstallUtil.exe`) making unusual network connections.
- Unexpected termination of `wscript.exe`.
## Associated Threat Actors
- **VEIL#DROP** (Activity name assigned by Securonix; specific group attribution currently undisclosed).
## Detection Methods
- **Behavioral Detection:** Monitor for PowerShell processes spawning from Windows Script Host or utilizing encoded commands and reflective loading indicators.
- **Network Monitoring:** Inspect traffic to known blogging platforms for unusual URI patterns (multiple slashes) or high-frequency polling.
- **Memory Forensics:** Scan for obfuscated .NET assemblies residing in memory without a corresponding file on disk.
## Mitigation Strategies
- **Prevention:** Disable Windows Script Host (WSH) if not required for business operations.
- **Hardening:** Implement strict PowerShell Execution Policies and enable Script Block Logging to gain visibility into obfuscated scripts.
- **Application Whitelisting:** Restrict the use of LOLBins like `msbuild.exe` or `installutil.exe` to only authorized administrators or developers.
## Related Tools/Techniques
- **PureLogs Stealer:** The final payload (a variant of the PureRAT family).
- **Living-off-the-Land (LotL):** Use of signed Microsoft binaries for evasion.
- **Reflective Loading:** Loading DLLs/Assemblies from memory to avoid disk-level detection.