TA2026184
Threat Advisory • Attack Report
Veil#Drop is a multi-stage, largely fileless delivery framework that abuses trusted Google Blogspot pages to stage a chain of XOR-obfuscated PowerShell loaders, ending in the in-memory deployment of PureLog Stealer, a .NET infostealer that harvests browser credentials, session cookies, and cryptocurrency wallet data from Windows hosts worldwide.
TA2026184A1Veil#Drop, PureLog StealerSection 01
First observed in 2026 and targeting Windows hosts worldwide, Veil#Drop is a multi-stage, largely fileless delivery framework that ends in the deployment of PureLog Stealer. The Veil#Drop chain begins with a JavaScript file disguised as a document, executed through Windows Script Host, which launches PowerShell download cradles that pull further stages from attacker-controlled Blogspot pages. The chain relies on XOR-obfuscated payloads, dynamically generated URLs, runtime script mutation, and in-memory .NET reflection, with trusted Microsoft-signed binaries used as execution fallbacks.
The final PureLog Stealer payload harvests browser credentials, cookies, session tokens, cryptocurrency wallet data, and system information from web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, and Opera, as well as wallets such as MetaMask, Exodus, Atomic Wallet, Electrum, Trust Wallet, Coinbase Wallet, and Binance Wallet, before exfiltrating it to remote command-and-control infrastructure.
Section 02
There is no exploit at the entry point of Veil#Drop, just a file that lies about what it is. Veil#Drop starts when someone opens a JavaScript file named to look like a document, such as transcript.pdf.js. Because Windows hides known extensions by default, the victim only ever sees "transcript.pdf" and clicks it expecting a harmless PDF. The lures are delivered through legitimate websites that have been quietly compromised, so the Veil#Drop operators get to lean on trusted domains and slip past reputation filtering; the delivery itself is assessed, with lower confidence, as either a spear-phishing link or a drive-by download. On that click, Windows hands the file to Windows Script Host, which spawns PowerShell with its execution policy bypassed, and that is where the Veil#Drop infection really begins.
From there the Veil#Drop chain runs almost entirely in memory. The JavaScript does nothing but launch a PowerShell download cradle, pairing Invoke-RestMethod with Invoke-Expression to pull the next stage straight off an attacker-controlled Blogspot page and borrow Google's reputation as cover. That stage clears the ground: it loads a harmless decoy web page so the victim thinks a document opened, deletes the original .js file from Downloads, kills scripting and .NET processes that might interfere, and XOR-decrypts an embedded payload. The decoded loader then rebuilds its next Blogspot URL on the fly, padding the path with a random count of slashes and swapping placeholder strings for random values each run, so no two Veil#Drop executions share a hash or a URL signature.
The final loader is where the real Veil#Drop payload hides. It carries two XOR-encoded .NET assemblies stored as long runs of decimal values, rebuilds them with a custom Convert-XorDecimalToExe routine (XOR key 47), and runs them directly from memory through Reflection.Assembly::Load() so nothing ever touches disk. If reflection gets blocked, the loader simply works down a list of Microsoft-signed binaries — RegSvcs, InstallUtil, MSBuild, CSC, VBC, ILAsm, CasPol, and AspNet_Compiler — trying each until one succeeds.
At the end of the Veil#Drop chain sits PureLog Stealer, a .NET infostealer built to work quietly and take a lot. It pulls saved logins, cookies, session tokens, autofill data, browsing history, and card data from Chrome, Edge, Firefox, Brave, Opera, and other Chromium browsers, and goes after wallet material tied to MetaMask, Exodus, Atomic Wallet, Electrum, Trust Wallet, and similar apps. PureLog Stealer also fingerprints the host, including machine name, user, OS version, installed software, running processes, hardware, and domain membership, so operators can tell a throwaway box from something worth their time. The malware never moves through the network itself, but the cookies it lifts can walk straight past multi-factor authentication (MFA), and stolen VPN, Microsoft 365, and cloud credentials are exactly what someone needs to gain a foothold and go deeper later.
Once PureLog Stealer has what it wants, it packages the credentials, cookie stores, tokens, wallet data, browser profiles, and system inventory and ships them to command-and-control over encrypted channels. Because the whole Veil#Drop chain lives in memory, with no dropped executable, no written DLL, and no leftover script, defenders are mostly left with process lineage, PowerShell script-block logs, memory-resident assemblies, and network telemetry instead of files to scan. The stolen data usually ends up fueling account takeover, cryptocurrency theft, and business email compromise, and it frequently gets resold on criminal markets, pushing the damage well past the first machine.
Section 03
Treat parent-child relationships such as wscript.exe or cscript.exe spawning powershell.exe as high-fidelity indicators. These chains are uncommon in normal user activity and sit at the very start of the Veil#Drop infection.
Disable the HideFileExt behavior through policy so double-extension lures like transcript.pdf.js are visible, and train users specifically on document-themed JavaScript files delivered from websites.
Flag outbound connections to blogspot[.]com and blogger[.]com that originate from powershell.exe, wscript.exe, cscript.exe, or mshta.exe. Legitimate browsing to these domains is normal, but scripting engines reaching them directly should be investigated.
Monitor for PowerShell activity involving Reflection.Assembly::Load, Assembly.Load, Add-Type, dynamic compilation, and ScriptBlock::Create, which are rarely seen in standard workflows and strongly indicate fileless execution.
Establish behavioral baselines for RegSvcs, InstallUtil, MSBuild, CSC, VBC, ILAsm, and AspNet_Compiler, and alert when these binaries are spawned by PowerShell, run from user-writable directories, or load assemblies from temporary locations.
On any host showing signs of PureLog Stealer activity, rotate exposed passwords and forcibly invalidate active sessions, since stolen cookies and tokens can be replayed to bypass standard multi-factor authentication.
Because harvested session cookies defeat conventional MFA, adopt phishing-resistant methods and session-binding controls to reduce the value of stolen browser session data.
Disable or tightly constrain the execution of .js files through Windows Script Host in environments that do not require it, removing the Veil#Drop framework's primary entry point.
Section 04
| Type | Value |
|---|---|
| URLs |
hxxps[:]//htlwub00klocate[.]blogspot[.]com/phud[.]dudus[.]docx[.]pdf[.]olp[.]sys
hxxps[:]//cpyzaramay26[.]blogspot[.]com/…/niple[.]docx[.]odp[.]pdf[.]sys
|
| SHA256 |
b0f550c17a19682ff54bca418ee186ac986d0813e018b317dc0e7aebff5bf054
6a6a4c29d37732a7af61b2dab8f521306a0cc096974e1a43e0df81cadfffba4a
de6a037dfe2e9f054e8e7695423c0cc388001362e3737271c639fdc1f08f849e
b5396b4034130bbf1fe30234cbd321cac67230b19b620e3f5f6ee9ad8f55dcd3
a048fc039ba6d1e22736c9142998de79445f878136664958f9b11156aaf1b61f
7fa075ed827095b4531cb35f650ccf6345c3799734e4ed30d9f52e72c0711713
7e4646d0cf91153653c5e366f98a65aad5ef363e0edeb246c809f53085971453
3d3342af3608399704d5daf9dc061ad1f8b243531fd9ef8497a10c6a9dd59661
|
| Filenames |
transcript.pdf.js
phud.dudus.docx.pdf.olp.sys
niple.docx.odp.pdf.sys
decoded_1.bin
decoded_2.bin
|
Section 05
Section 06