{"id":284636,"date":"2026-07-01T13:18:00","date_gmt":"2026-07-01T17:18:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/01\/veildrop-malware-chain-uses-blogger-platform-to-deliver-purelogs-stealer\/"},"modified":"2026-07-01T17:45:11","modified_gmt":"2026-07-01T21:45:11","slug":"veildrop-malware-chain-uses-blogger-platform-to-deliver-purelogs-stealer","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/01\/veildrop-malware-chain-uses-blogger-platform-to-deliver-purelogs-stealer\/","title":{"rendered":"VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/veildrop-malware-chain-uses-blogger.html\">VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/veildrop-malware-chain-uses-blogger.html\">https:\/\/thehackernews.com\/2026\/07\/veildrop-malware-chain-uses-blogger.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-01 13:18:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs.<\/p>\n<p>The activity has been codenamed VEIL#DROP by Securonix. It&#8217;s suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on a website (legitimate or otherwise) under the attacker&#8217;s control.<\/p>\n<p>&#8220;The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled,&#8221; researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.<\/p>\n<p>At a high level, the PowerShell script is responsible for retrieving a next-stage payload hosted on Blogger (&#8220;htlwub00klocate.blogspot[.]com&#8221;), allowing the attackers to bypass reputation-based defenses by abusing Google&#8217;s trusted infrastructure as a stager and to blend in with legitimate web activity.<\/p>\n<p>The downloaded PowerShell payload acts as a conduit for loading a benign web page like Google, creating the impression that a PDF document is opened, while the infection sequence proceeds silently in the background, ultimately leading to the deployment of PureLogs Stealer, a .NET-based infostealer known for harvesting a wide array of sensitive data from compromised hosts.<\/p>\n<p>The PowerShell loader also attempts to ensure unrestricted execution of follow-up PowerShell commands, terminate selected processes such as &#8220;wscript.exe&#8221; to minimize forensic trail, delete &#8220;transcript.pdf.js&#8221; to eliminate evidence of execution, and decrypt an embedded payload.<\/p>\n<p>&#8220;Following successful XOR decryption, the loader transitions into one of the most evasive components of the VEIL#DROP framework: dynamic stage generation combined with runtime mutation,&#8221; Securonix explained. &#8220;Rather than using&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/veildrop-malware-chain-uses-blogger.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer https:\/\/thehackernews.com\/2026\/07\/veildrop-malware-chain-uses-blogger.html Publish Date: 2026-07-01 13:18:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":284637,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj3OuCh7SjXAd7hG_0Q0p__EmpV5MwYh0fOfMZHc1wxRHpsCN9qlonLr93NB6-iJMWJd6nv8VoMqSt9hWW34H7R7tpoGuhkn1mkEL8UgsiUIfNxh9L1Bh0Qpvt0xrX9Pqq6rw1vb-0CEC3KLAT5N7fdlgEHWnYVDyeuUHt2pD59vugSKLaC9n8-LBLoqV0Y\/s1600\/blogger.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,35,36,32,25],"class_list":["post-284636","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-hacker","tag-infostealer","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/284636"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=284636"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/284636\/revisions"}],"predecessor-version":[{"id":284638,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/284636\/revisions\/284638"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/284637"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=284636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=284636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=284636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}