All incidents

Veil#Drop malware campaign spreads PureLog Stealer via Blogspot

malwareopenJul 1, 2026 — Jul 6, 2026
Veil#Drop malware campaign spreads PureLog Stealer via Blogspot

SECURITY researchers have uncovered a malware campaign dubbed Veil#Drop that uses Google’s Blogspot service to deliver the PureLog Stealer to victims, with activity first detected on 1 July 2026 and continuing through early July according to Securonix.

The attack begins with a seemingly benign JavaScript file hosted on a compromised website, which when executed launches PowerShell commands that retrieve additional stages from attacker‑controlled Blogspot pages as detailed by Securonix.

These later stages employ XOR‑encoded .NET assemblies that are reflected into memory, allowing the malware to run filelessly before deploying PureLog Stealer, a credential harvester that targets browser passwords, session cookies and other authentication data reported by Infosecurity Magazine.

PureLog Stealer’s capabilities include extracting stored credentials from Chrome, Firefox and Edge, and it can exfiltrate data via encrypted channels that blend with normal web traffic, making detection difficult as noted in the same report.

Observed infections occurred between 1 and 6 July 2026, although Securonix noted that no specific threat actor has been publicly attributed to the campaign according to their analysis.

Defenders should enable detailed PowerShell logging, monitor for outbound HTTPS requests to blogspot.com subdomains that lack legitimate business justification, and inspect any unsigned JavaScript files served from internal or partner sites as advised by SecurityWeek.

Additionally, network‑based anomaly detection that flags unusual user‑agent strings or abnormal PowerShell parent processes can help catch the fileless execution before the stealer establishes persistence per Infosecurity Magazine’s guidance.

Intelligence briefing updated Jul 6, 2026

Root sourcewww.securonix.com
Timeline Coverage

Swipe to explore timeline