Researchers have identified a multi-stage malware campaign dubbed VEIL#DROP that uses social engineering, Google Blogspot/Blogger pages, and native Windows tooling to deliver the PureLogs information stealer. The infection chain starts with a JavaScript file disguised as a document, including filenames such as transcript.pdf.js, which executes through Windows Script Host and launches PowerShell with execution-policy bypasses. Additional stages are then retrieved from attacker-controlled Blogspot pages, decrypted with XOR routines, and loaded largely in memory to limit forensic evidence on disk.
The malware chain uses dynamic URL generation, runtime mutation, reflective .NET loading, and fallback execution through Microsoft-signed living-off-the-land binaries including regsvcs.exe, installutil.exe, msbuild.exe, and aspnet_compiler.exe when direct in-memory execution is blocked. Researchers said the final PureLogs payload can steal browser credentials, cookies, autofill data, browsing history, cryptocurrency wallet information, and system details, creating a path for broader compromise that could extend to lateral movement and cloud intrusion while blending into legitimate administrative activity.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Researchers described a multi-stage malware delivery chain dubbed VEIL#DROP that uses a JavaScript lure, PowerShell, Blogger/Blogspot-hosted staging pages, in-memory execution, and Microsoft-signed LOLBins to deploy the PureLogs/PureLog information stealer.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.