Skip to main content
Emerging ThreatsMalware & Ransomware

Blogger Platform Exploited in VEIL#DROP Malware Attack Chain

Laptop on a simple desk in a home office setting with a notepad and pen nearby.

"Following successful XOR decryption, the loader transitions into one of the most evasive components of the VEIL#DROP framework: dynamic stage generation combined with runtime mutation," Securonix explained.

Securonix: how VEIL#DROP begins

Researchers at Securonix — Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee — describe a multi-stage attack chain that starts with a deceptively named JavaScript file such as transcript.pdf.js. That file executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled, either after being delivered by spear-phishing or as a drive-by compromise when a user lands on an attacker-controlled site.

Blogger as trusted stager: htlwub00klocate.blogspot[.]com

After the initial PowerShell runs, the script retrieves a next-stage payload hosted on a Blogger page — identified in the report as htlwub00klocate.blogspot[.]com. Securonix says attackers are abusing Google's trusted infrastructure as a stager, allowing them to blend malicious retrievals with otherwise legitimate web traffic and to bypass reputation-based URL defenses.

Loader techniques: XOR, runtime mutation, and reflective .NET loading

The downloaded PowerShell payload performs several functions at once. It acts as a visual decoy — loading a benign web page such as Google to create the impression that a PDF was opened — while silently continuing the infection. The loader terminates selected processes (for example, wscript.exe), deletes the initial transcript.pdf.js to remove evidence, and decrypts an embedded payload using XOR.

After XOR decryption, the chain applies dynamic stage generation and runtime mutation. The malware builds unique blogspot[.]com URLs for each execution by inserting a random number of forward slashes into the URL string to evade static signatures and URL-based filtering. It also replaces placeholder values in scripts with randomly generated strings and values at runtime, producing polymorphism that defeats script signatures and file hashes. The ultimately reconstructed script is executed entirely in memory and decodes and runs a .NET assembly using reflective code loading — in other words, the core infostealer runs without writing that assembly to disk.

LOLBIN cascading fallback: regsvcs.exe, installutil.exe, msbuild.exe, aspnet_compiler.exe

Securonix documents a fallback model when direct in-memory execution is blocked by security controls. Rather than rely on a single living-off-the-land binary, the loader attempts a cascading sequence of Microsoft-signed binaries — regsvcs.exe, installutil.exe, msbuild.exe, and aspnet_compiler.exe — to execute recovered .NET assemblies. Because these binaries are signed by Microsoft and typically present on Windows systems, the attackers use them to make activity appear legitimate and to reduce forensic artifacts. "One of the most notable aspects of the loader is that it does not depend on any single LOLBin," the researchers note; instead, execution continues down the list until one method succeeds.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: Expect an adversary model that avoids static indicators. The combination of XOR-obfuscated payloads, runtime mutation, dynamic URL construction on blogspot[.]com, in-memory reflective loading, and multiple LOLBin fallbacks means signature-based detection will be challenged and forensics may lack disk artifacts.
  • Enterprises and procurement leaders: The use of a trusted cloud platform as a staging host underscores how reliance on reputation alone — for example, allowing content from major providers without deeper inspection — can be abused. Controls that monitor anomalous PowerShell behavior, unexpected process terminations, or unusual use of Microsoft-signed binaries may be relevant.
  • End users and the general public: The initial lure can be simple — a file masquerading as transcript.pdf.js or a compromised web page. Securonix highlights both spear-phishing and drive-by compromises as vector paths that can lead to deployment of PureLogs Stealer.

PureLogs Stealer — described in the report as a .NET-based information stealer capable of harvesting a wide array of sensitive data — represents the intended final payload of VEIL#DROP. Securonix warns that the data stolen from an infected endpoint can be leveraged as a stepping stone for persistence, lateral movement, and even cloud infrastructure compromise.

The VEIL#DROP chain combines multiple evasion techniques — trusted-host staging, fileless execution, runtime polymorphism, XOR obfuscation, reflective loading, and a cascading LOLBin execution model — to reduce forensic traces and bypass traditional antivirus controls. That combination raises a clear question for defenders: can detection and response tools keep pace with malware that actively mutates its indicators, constructs fresh retrieval URLs at runtime, and falls back to multiple Microsoft-signed executables until one succeeds?

Read the original report at The Hacker News: https://thehackernews.com/2026/07/veildrop-malware-chain-uses-blogger.html