Securonix Threat Labs disclosed VEIL#DROP, an active multi-stage malware delivery campaign that routes its payload downloads through Google’s Blogger platform to bypass enterprise security tools that block downloads from unknown or low-reputation infrastructure. The campaign delivers PureLogs Stealer, a .NET information stealer that collects browser credentials, session cookies, and cryptocurrency wallet data.
How VEIL#DROP Routes Malware Downloads Through Google’s Trusted Infrastructure
The VEIL#DROP infection chain begins when a victim encounters or receives a JavaScript file disguised as a document — campaign indicators include filenames like transcript.pdf.js, constructed to appear as PDF documents to users who have file extension display disabled. When executed, the JavaScript file runs through Windows Script Host and spawns PowerShell with execution policy bypass arguments.
The PowerShell stage fetches the next-stage payload not from attacker-controlled infrastructure, but from a Blogger page — a post hosted on blogspot.com or a custom domain routed through Google’s Blogger CDN. To reputation-based security tools performing outbound connection inspection, that fetch is indistinguishable from a user accessing a legitimate Google-hosted page. Google’s CDN and Blogger IP ranges are whitelisted in most enterprise security configurations because the domain carries Google’s IP reputation, not the attacker’s.
How the Blogger Page Deceives Both Users and Security Tools
The Blogger-hosted page in the VEIL#DROP chain creates the appearance of a benign PDF rendering environment on Google’s infrastructure. While the victim’s screen may briefly show what looks like a document loading from a Google page, the PowerShell script executing in the background is simultaneously fetching, decoding, and launching PureLogs Stealer. The visual artifact — a Google-hosted page appearing to open a document — provides social cover for the payload execution that is happening off-screen.
This layered deception is the campaign’s defining architectural choice. By splitting the infection chain across Windows Script Host, PowerShell, and Google Blogger, VEIL#DROP avoids any single step that standard security tools reliably block. The JavaScript dropper is not itself a known malicious binary. The PowerShell invocation is not connecting to a blacklisted IP. The Blogger download is coming from a Google-owned address.
PureLogs Stealer: Data Collected and Exfiltration Targets
The final payload in the VEIL#DROP chain is PureLogs Stealer, a .NET-based information stealer that targets the categories of data most valuable to credential-focused threat actors. PureLogs collects browser-saved passwords, active session cookies, autofill data, and cryptocurrency wallet files from the host. It also gathers comprehensive host system information — hardware and software configuration, running process list, and system identifiers — before packaging everything for exfiltration to attacker-controlled infrastructure.
Session cookies are a particularly high-value component of the PureLogs collection. A stolen valid session cookie allows an attacker to authenticate to the victim’s web accounts without knowing the account password and without triggering a login event. Two-factor authentication does not protect accounts where session cookies are already stolen and valid — the attacker presents an existing authenticated session, not a new login attempt.
VEIL#DROP Infection Indicators and Defender Guidance From Securonix
Securonix published indicators of compromise alongside the VEIL#DROP disclosure. Organizations searching for VEIL#DROP infections should look for two primary indicators in endpoint telemetry: JavaScript files with double extensions ending in .js arriving as attachments or downloads, particularly with document-type names preceding the .js extension; and PowerShell processes with execution policy bypass flags making outbound connections to blogspot.com or custom Blogger-hosted domains.
The Blogger download vector requires defenders to shift detection from destination reputation to behavioral pattern. Organizations whose security architecture depends primarily on domain and IP reputation controls will not detect VEIL#DROP at the network layer — the connection to Google Blogger will pass any reputation check. Effective detection requires endpoint-level visibility into what PowerShell is doing after spawning from Windows Script Host, regardless of where PowerShell is connecting.
Why Abusing Google Infrastructure Is Now a Standard Evasion Technique
VEIL#DROP is not the first campaign to route payloads through Google’s infrastructure, but the Blogger integration is a structural choice rather than an opportunistic one. Google Blogger pages are free to create, indistinguishable from millions of legitimate blog posts at the IP and domain level, and carry Google’s reputation in any reputation-based scoring system. The barrier to standing up a Blogger-hosted payload stage is effectively zero, making it a reproducible and scalable evasion mechanism.
The campaign’s use of Blogger follows the same logic as campaigns that abuse Google Drive, Google Docs, or Google Sites for payload hosting or phishing pages — each exploits the fact that security tools cannot block Google’s own infrastructure without breaking a massive volume of legitimate enterprise traffic. Defenders must instead rely on the behavioral context around the connection rather than the connection’s destination to identify abuse.
