// 1 CRITICAL · 1 ZERO-DAY · 2 CVE · 2 EXPLOIT IN THE LAST 24H
Securonix uncovers VEIL#DROP, a multi-stage malware chain that weaponizes Google Blogger to deliver the PureLogs Stealer filelessly, bypassing reputation-based defenses.

July 1, 2026, the Securonix threat research team disclosed the VEIL#DROP campaign, a delivery chain that does not breach cloud platforms but abuses them with surgical precision. The mechanism exploits no zero-day vulnerabilities; instead, it uses Google Blogger as a legitimate stager, generates polymorphic URLs at runtime, and climbs a ladder of Microsoft-signed LOLBins to ensure fileless execution even when endpoints block direct paths. The final payload is PureLogs Stealer, a .NET infostealer that operates entirely in memory.

Key Takeaways
  • VEIL#DROP uses the address htlwub00klocate.blogspot[.]com to host PowerShell payloads, exploiting Google's reputation to evade network-based filters.
  • The loader generates dynamic URLs by inserting a random number of forward slashes ('/') to bypass static signatures, with runtime mutation replacing placeholders with random strings.
  • Fileless execution occurs via reflective .NET loading, leaving no disk artifacts; a fallback cycles through four Microsoft-signed LOLBins (regsvcs.exe, installutil.exe, msbuild.exe, aspnet_compiler.exe) in a cascading fashion.
  • The identified final payload is PureLogs Stealer, delivered in-memory after the loader terminates wscript.exe and deletes the initial JavaScript file.

The Chain That Starts with a Double-Extension .js

Infection begins with a JavaScript file bearing a double extension disguised as a document — the Securonix report cites transcript.pdf.js as a documented example. The file activates via Windows Script Host and launches PowerShell with execution policy bypassed. From there, the loader contacts Blogger at htlwub00klocate.blogspot[.]com to retrieve the next-stage payload. The use of Google infrastructure is not anecdotal; it is the core of the evasion strategy. Reputation-based defenses, which grant implicit trust to top-tier domains like blogspot.com, become a blind spot in this scenario.

"The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled" — Akshay Gaikwad, Shikha Sangwan, Aaron Beardslee (Securonix), via The Hacker News

The delivery mechanism is not limited to a single static URL. Securonix documented that the malware dynamically constructs the secondary stager destination, inserting a variable number of '/' characters into the URL string. This structural polymorphism, combined with runtime placeholder replacement with random strings, renders static indicators of compromise and fixed-pattern URL blocking rules ineffective.

Reflective Loading and the Paradox of Memory Without Artifacts

Once the payload is retrieved, VEIL#DROP writes nothing to disk. The .NET assembly executes via reflective code loading, a technique that loads the binary directly from memory without touching the filesystem. This fileless approach, confirmed by both primary sources, eliminates much of the traditional detection surface: no file hashes to correlate, no on-disk signatures to scan, no write artifacts for post-hoc forensic tools.

The payload loaded this way is PureLogs Stealer, a .NET infostealer known in the criminal underground. According to Securonix via Infosecurity Magazine, operators behind this class of malware typically sell harvested credentials through underground marketplaces, enabling other threat actors to purchase access to compromised accounts and environments. The dossier does not specify the exact nature of the data targeted in this specific campaign, nor the geographic scope or number of confirmed victims.

The Cascading LOLBin: When Allowlisting Becomes a Boomerang

The most distinctive element of VEIL#DROP is its cascading execution model via LOLBins. Instead of relying on a single Microsoft-signed binary, the loader cycles through four alternative executables: regsvcs.exe, installutil.exe, msbuild.exe, aspnet_compiler.exe. Execution follows a fallback logic: it attempts each method until one succeeds. This mechanism, which Securonix dubbed the "cascading model," transforms the traditional Living-off-the-Land approach into an automated redundancy chain.

"One of the most notable aspects of the loader is that it does not depend on any single LOLBin. Instead, execution follows a cascading model, attempting each method until one succeeds" — Securonix researchers, via The Hacker News

The consequences for defensive architectures are concrete. Allowlisting policies that permit execution of Microsoft-signed binaries — standard practice in controlled enterprise environments — become a guaranteed execution vector in this scenario. No longer a single LOLBin to monitor, but an entire battery of alternatives that makes perimeter control insufficient without additional layers of behavioral analytics on PowerShell and the .NET runtime.

What to Do Now

  • Review access policies for Blogger and public cloud authoring platforms from the internal perimeter: traffic to blogspot.com can no longer be considered implicitly benign in at-risk environments.
  • Enable behavioral monitoring on PowerShell and the CLR (.NET runtime) with focus on reflective assembly loading, execution policy bypasses, and dynamic URL generation patterns.
  • Extend detection rules beyond static IoCs: URL-based signatures are ineffective against VEIL#DROP's structural polymorphism; runtime generation behavior must be monitored.
  • Map legitimate LOLBin usage in the enterprise and implement application controls that detect anomalous chained execution sequences, not just isolated processes.

The Thin Line Between Trust and Vulnerability

VEIL#DROP does not prove that cloud infrastructure is insecure; it proves that its very reputation has become an offensive asset. When a Google domain receives implicit trust from security gateways, the attacker hosting on it has already won half the battle upstream. The challenge for defensive teams is no longer distinguishing good from evil at the infrastructure level, but reconstructing the behavioral execution chain — a task static signatures cannot sustain.

The Securonix report leaves strategic questions open: it is unconfirmed whether the campaign is attributable to a known APT group, unclear whether Google has removed the malicious content, and no verifiable IoCs such as hashes or YARA rules have been published. These gaps make proactive threat hunting more urgent than mere patch application: in the absence of stable indicators, detection must shift from the perimeter to memory, from the file to behavior.

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. thehackernews.com
  2. infosecurity-magazine.com
  3. wiu.edu
  4. nvd.nist.gov