"In many cases, the operators behind information‑stealing malware sell harvested credentials through underground marketplaces, allowing other threat actors to purchase access to compromised accounts and environments," Securonix Threat Research warned.
Veil#Drop: a fileless chain that starts with a masqueraded file
Securonix Threat Research identified a multi-stage, fileless framework it calls Veil#Drop that begins when a victim visits a compromised website and opens a file presented as a document. Because Windows hides known extensions by default, the file appears to be a PDF while actually being a script that Windows Script Host executes. That script launches PowerShell with security checks disabled, initiating the remainder of the chain.
Blogspot hosting and traffic blending
Rather than hosting payloads on attacker-controlled servers alone, the campaign uses Blogspot pages under attacker control to deliver follow‑on stages. Securonix said hosting payloads on Google‑owned infrastructure allowed the traffic to blend with normal web activity and slip past reputation‑based defenses. PowerShell fetches the subsequent stages directly from those Blogspot pages and runs them entirely in memory, leaving few or no files on disk for traditional scanners to inspect.
In‑memory .NET loader and runtime obfuscation
Later stages of the chain employ custom XOR encoding to hide their contents until runtime. According to the researchers, the final loader reconstructs two .NET assemblies from encoded data and loads them straight into memory using reflection. Because no executable is written to disk, antivirus engines that rely on scanning files find little to inspect.
LOLBIN fallback: RegSvcs, InstallUtil and MSBuild
Securonix reported that Veil#Drop includes fallback techniques that abuse legitimate, Microsoft‑signed binaries — commonly called "LOLBINs" — to ensure execution when the primary path is blocked. The operation cycles through utilities such as RegSvcs, InstallUtil and MSBuild until one succeeds. Because these tools are legitimate parts of the .NET framework, the researchers said the activity often bypasses application control and allow‑listing rules.
What PureLog Stealer collects, and why session cookies matter
The payload delivered by the chain is PureLog Stealer, a known .NET information stealer. Once running, PureLog harvests browser passwords, cookies, autofill data, cryptocurrency wallets and host details. Securonix highlighted that stolen session cookies can let attackers bypass multi‑factor authentication by reusing a victim's logged‑in session. The researchers also noted that operators often monetize harvested credentials by selling them through underground marketplaces, enabling secondary actors to purchase access to compromised accounts and environments.
What this means for defenders, enterprises, and end users
- Defenders and security teams: Securonix urged monitoring for behavioral indicators such as PowerShell reaching out to Blogspot pages or the spawning of .NET utilities, rather than relying solely on static file indicators. The fileless, in‑memory nature of the chain reduces the effectiveness of disk‑based scanning and reputation lists.
- Enterprises and procurement leaders: The campaign shows that legitimate, signed Microsoft binaries can be repurposed to evade application‑control rules; teams should account for misuse of RegSvcs, InstallUtil and MSBuild when designing allow‑listing policies and runtime controls.
- End users: A seemingly benign document on a compromised website can initiate a fileless compromise because Windows hides known extensions by default; attention to file extensions and cautious handling of unexpected downloads remain relevant to reducing exposure.
The operation Securonix calls Veil#Drop demonstrates how attackers chain a compromised website, a booby‑trapped JavaScript or script file and PowerShell to deliver a fully in‑memory infostealer. By combining Blogspot hosting, runtime encoding, in‑memory .NET assembly reconstruction and LOLBIN fallbacks, the campaign minimizes artifacts left on disk and leans on legitimate infrastructure and tooling to evade traditional defenses. As Securonix recommended, detection efforts must shift from static indicators to the behavioral patterns this framework produces.




