Researchers at Securonix have identified a novel attack framework dubbed Veil#Drop that leverages compromised websites and Blogspot-hosted payloads to distribute the PureLog information stealer. The campaign employs a multi-stage infection chain designed to evade traditional detection mechanisms.
The attack framework abuses trusted platforms like Blogspot to host malicious payloads, blending in with legitimate traffic. Securonix notes that the technique relies on PowerShell execution and fileless methods to circumvent endpoint security controls, achieving a high degree of stealth. Full details on the number of affected targets or specific geographic focus have not been disclosed.
Infection begins when a target visits a compromised website or clicks a malicious link, triggering PowerShell scripts that fetch the next-stage payload from a Blogspot URL. The payload ultimately deploys PureLog, a known information stealer capable of harvesting credentials, browser data, and system information. The attack chain avoids writing malicious binaries to disk, making forensic analysis more difficult.
No official patches or vendor advisories have been issued as the attack exploits legitimate web services rather than software vulnerabilities. Organizations are advised to monitor PowerShell execution policies, restrict access to Blogspot where appropriate, and enable behavioral detection rules for suspicious script activity. Securonix has published indicators of compromise to aid in threat hunting.
Attribution for the Veil#Drop campaign remains unclear. The use of fileless techniques and trusted hosting platforms reflects a broader trend among threat actors seeking to bypass signature-based defenses. This campaign underscores the growing challenge of distinguishing malicious activity from legitimate use of cloud and blogging services.