Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks
Securonix identified Veil#Drop, a sophisticated multi-stage malware framework leveraging compromised websites and social engineering to deploy information stealers. The attack chain utilizes JavaScript launchers and PowerShell download cradles to fetch payloads from trusted Blogspot infrastructure, employing XOR encoding and reflective .NET loading to evade static analysis. Final payload, PureLog Stealer, harvests extensive sensitive data including browser credentials, cookies, session tokens, a
Analysis
TL;DR
- Securonix identified Veil#Drop, a sophisticated multi-stage malware framework leveraging compromised websites and social engineering to deploy information stealers.
- The attack chain utilizes JavaScript launchers and PowerShell download cradles to fetch payloads from trusted Blogspot infrastructure, employing XOR encoding and reflective .NET loading to evade static analysis.
- Final payload, PureLog Stealer, harvests extensive sensitive data including browser credentials, cookies, session tokens, and cryptocurrency wallet information from multiple applications.
- The framework employs defense evasion techniques such as process termination, LOLBIN abuse, and fileless execution to minimize forensic artifacts and maintain operational stealth.
- Infected workstations serve as entry points for broader enterprise compromises, potentially leading to ransomware deployment, data theft, or business email compromise attacks.
Why It Matters
This case highlights the increasing trend of threat actors abusing trusted cloud services like Blogspot to host malicious payloads, making detection significantly harder for traditional security controls. It underscores the critical risk posed by information stealers as initial access brokers in complex intrusion campaigns, necessitating robust monitoring of user behavior and application integrity.
Technical Details
- Delivery Mechanism: The infection begins with a JavaScript file masquerading as a document, which launches PowerShell code to bypass execution policies and retrieve further payloads from attacker-controlled Blogspot pages.
- Evasion Techniques: The framework uses XOR-encoded .NET assemblies stored as large embedded data blobs, reconstructed and decrypted at runtime. It also employs reflective .NET loading and fileless execution to avoid signature-based detection.
- Payload Execution: The Blogspot-hosted payload displays a decoy document, terminates specific security-related processes, and generates additional URLs to execute subsequent stages directly in memory.
- Data Harvesting: PureLog Stealer targets credentials, cookies, autofill data, and session tokens from major browsers (Chrome, Edge, Firefox, Brave, Opera) and harvests data from messaging apps, email clients, password managers, and crypto wallets.
- Exfiltration: Harvested data is packaged and sent to attacker-controlled servers in encrypted form, ensuring confidentiality during transmission.
Industry Insight
Security teams should prioritize monitoring for unusual PowerShell activity and script execution from cloud storage platforms, as these are becoming common vectors for initial access. Organizations must implement strict egress filtering and behavioral analytics to detect early-stage credential harvesting and lateral movement attempts initiated by information stealers.
Disclaimer: The above content is generated by AI and is for reference only.