Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks
Analysis of the Veil#Drop cyberattack campaign, which leverages Google’s Blogspot and fileless techniques to deliver the PureLog information stealer.
This article is original editorial commentary written with AI assistance, based on publicly available reporting by SecurityWeek. It is reviewed for accuracy and clarity before publication. See the original source linked below.
Cybersecurity researchers at Securonix have uncovered a sophisticated multi-stage infection framework dubbed "Veil#Drop," which marks a significant evolution in the tactical use of legitimate web infrastructure for malicious ends. This campaign is characterized by its reliance on a chain of compromised websites, PowerShell scripts, and Google’s Blogspot platform to deliver the PureLog information stealer. By fragmenting the attack across multiple trusted services, the threat actors have created a resilient delivery mechanism that bypasses traditional perimeter defenses, signaling a new level of maturity in the "living off the land" methodology.
Historically, information stealers have relied on relatively straightforward delivery methods, such as phishing attachments or drive-by downloads from malicious domains. However, as endpoint detection and response (EDR) tools have become more adept at flagging suspicious file executions and unrated domains, attackers have pivoted. The Veil#Drop campaign follows a pattern of "domain fronting" and "trusted site abuse" that has plagued security teams for years, but adds a layer of complexity by using Blogspot posts as a secondary staging ground. This approach exploits the inherent trust that security software places in major technical providers like Google, making it difficult to block the traffic without risking collateral damage to legitimate business operations.
Mechanically, the Veil#Drop attack is a masterclass in obfuscation. The process typically begins with a weaponized shortcut file (LNK) or a compromised site that triggers a PowerShell command. This script does not immediately download a malicious binary; instead, it fetches a base64-encoded payload hosted on a Blogspot page. By hiding parts of the malicious code within the HTML of a standard blog post, the attackers ensure that the initial network request appears to be routine web browsing. The final stage involves a fileless execution technique, where the PureLog stealer is injected directly into the system's memory, leaving a minimal footprint on the physical disk for forensic tools to find.
The business implications of this discovery are considerable. For organizations, it highlights a critical blind spot: the inability to distinguish between legitimate API calls to cloud services and malicious command-and-control (C2) traffic. The PureLog stealer itself is a potent threat, designed to harvest sensitive credentials, browser data, and session tokens that can be sold on dark web marketplaces or used for further lateral movement within a corporate network. For the cybersecurity industry, Veil#Drop proves that the cost of defending against fileless attacks is rising, as traditional signature-based detection is rendered almost entirely obsolete by these dynamic, multi-stage delivery chains.
From a regulatory and platform perspective, this campaign puts increased pressure on service providers like Google to police their ecosystems more aggressively. While Blogspot is a legacy platform, its continued utility for threat actors demonstrates the difficulty of moderating vast quantities of user-generated content in real-time. We are seeing a "cat-and-mouse" game where attackers utilize the very scale and reliability of the modern internet to hide their activities. As long as hosting a malicious script on a high-reputation domain remains free and easy, threat actors will continue to favor these platforms over self-hosted infrastructure that is easily blacklisted.
Looking forward, the industry should expect an increase in campaigns that distribute attack components across fragmented cloud environments. The next phase of this evolution will likely involve the integration of automated script generation to frequently rotate the hosting locations of these payloads, staying one step ahead of blocklists. Security teams must move toward identity-centric and behavior-centric defense models, focusing less on where a request is coming from and more on what the PowerShell or system processes are attempting to do once the data arrives. The primary takeaway from the Veil#Drop discovery is that "trusted" traffic no longer exists; in the current threat landscape, even a post on a personal blog can be a harbinger of a full-scale corporate data breach.
Why it matters
- 01The Veil#Drop campaign utilizes Google’s Blogspot to bypass network filters, exploiting the high reputation of legitimate cloud platforms to hide malicious payloads.
- 02By employing fileless execution and PowerShell obfuscation, the attack minimizes its physical footprint, making traditional file-based antivirus detection ineffective.
- 03The shift toward abusing fragmented, trusted infrastructure necessitates a transition from reputation-based security to behavioral monitoring and zero-trust architectures.