Cybersecurity researchers have uncovered a novel attack chain dubbed VEIL#DROP that leverages the Blogger platform to stage a multi-stage information-stealing campaign. Securonix identified the activity, which ultimately deploys a malware variant known as PureLogs. Initial infection vectors likely include spear-phishing emails or drive-by compromises, where an unsuspecting user lands on a malicious link.
The chain's reliance on a legitimate blogging service for payload hosting makes detection more difficult, as Blogger domains may evade traditional blocklists. PureLogs is an infostealer designed to harvest credentials, browser data, and other sensitive information from compromised systems. Securonix has not yet disclosed the full geographic spread or estimated victim count.
Technical analysis indicates the attack unfolds in multiple stages. After initial access, the victim is redirected through a deceptive Blogger page that hosts further payloads. The malware then communicates with command-and-control infrastructure to exfiltrate stolen data. Specific indicators of compromise have not been publicly detailed by Securonix as of this writing.
Mitigation recommendations include blocking unauthorized access to Blogger at the network level during incident response, deploying endpoint detection rules for suspicious PowerShell or script execution, and educating users about spear-phishing risks. No patches are applicable since this is a social engineering and abuse-of-trust campaign rather than a software vulnerability.
Attribution for the VEIL#DROP campaign remains unclear. However, the use of PureLogs — a commercially available stealer — suggests a financially motivated threat actor rather than a state-sponsored group. This incident underscores how adversaries continue to repurpose legitimate platforms for stealthy malware delivery.