Threat researchers at Securonix have identified an advanced, multi-layered malware delivery operation that leans on hacked websites and social-engineering tactics to plant information-stealing malware on victims' systems.
Tracked under the name Veil#Drop, the campaign chains together JavaScript launchers and PowerShell download routines to fetch and run malicious code hosted on Blogspot — a platform sitting on Google's reputable infrastructure, which helps the activity blend in with legitimate traffic.
The attack kicks off when a target opens a JavaScript file disguised to look like an ordinary document. Once triggered, the script fires off PowerShell commands built to slip past execution-policy restrictions, then reaches out to attacker-run Blogspot pages to pull down further payloads.
Those Blogspot-hosted stages carry out several actions at once: they show a decoy document to keep the victim unaware, shut down certain running processes, and decrypt hidden content. The unpacked code then spins up more Blogspot links and runs the next payloads straight from memory, leaving little behind on disk.
According to Securonix, a follow-on loader stores XOR-scrambled .NET assemblies inside oversized embedded data blocks. These are rebuilt and unscrambled only while the malware is running, a technique that frustrates static inspection and weakens signature-based defenses.
The operation is also engineered with redundancy in mind, relying on backup execution paths and misusing legitimate, Microsoft-signed Windows binaries (living-off-the-land binaries, or LOLBINs) to run code while sidestepping security tools. Securonix notes that the mix of compromised sites, files masquerading with multiple extensions, trusted cloud hosting, obfuscated payloads, reflective in-memory .NET loading, and LOLBIN abuse reflects a calculated push to dodge conventional antivirus products, minimize forensic traces, and stay hidden throughout the intrusion.
The endgame is infection with PureLog Stealer, a .NET-based data thief. Once installed, it profiles the compromised machine and begins scraping data from a wide range of browsers, including Google Chrome, Microsoft Edge, Firefox, Brave, Opera, and other Chromium-based options.
Its targets include saved credentials, cookies, autofill entries, session tokens, and browsing history, and it actively hunts for cryptocurrency wallet data on the device. Beyond browsers, PureLog Stealer can pull information from messaging apps, email clients, remote-access utilities, FTP tools, cloud-storage software, developer applications, and password managers. Everything it collects is bundled up and transmitted to attacker-controlled servers in encrypted form.
Because the stealer casts such a wide net, Securonix warns that compromising a single endpoint could open the door to a much larger breach, depending on the secrets — credentials, tokens, and keys — stored on that machine. In corporate settings, the firm points out, info-stealers often serve as the opening move in bigger campaigns, with harvested logins later fueling ransomware deployment, data-theft operations, business email compromise, or drawn-out espionage.