Securonix researchers identified a multi-stage malware delivery chain dubbed VEIL#DROP that exploits Google's Blogger platform to distribute PureLogs, an information stealer targeting sensitive data from infected systems.

The attack begins with spear-phishing emails or drive-by downloads that trick users into compromising their machines. Attackers leverage Blogger pages—legitimate-looking hosted content—as intermediary infrastructure to stage and deliver the malware payload. This approach bypasses traditional email filtering and exploits user trust in established platforms.

PureLogs functions as an infostealer, harvesting credentials, browser data, and other sensitive information from compromised endpoints. The multi-stage design allows attackers to deliver components progressively, reducing detection signatures and evading antivirus solutions during initial infection phases.

The use of Blogger as a delivery mechanism presents a particular challenge for defenders. Google's platform enjoys inherent reputation and trust, making malicious Blogger pages difficult to distinguish from legitimate ones. Security teams cannot easily blanket-block Blogger domains without impacting legitimate business communications.

Organizations face risk across multiple attack vectors here. Employees remain vulnerable to convincing phishing emails, particularly when campaigns target individuals with access to sensitive systems. Drive-by compromises affect users who visit seemingly innocuous websites without requiring any user interaction beyond browsing. Once PureLogs installs, attackers gain access to stored credentials, potentially enabling lateral movement, privilege escalation, and further network compromise.

The VEIL#DROP chain demonstrates an evolving trend in malware distribution. Attackers increasingly abuse legitimate infrastructure—particularly content hosting platforms—to reduce operational friction and detection rates. This approach differs from traditional malware delivery that relied on attacker-controlled infrastructure, making infrastructure-based blocking less effective.

Securonix recommends implementing multi-factor authentication across enterprise systems, conducting regular phishing awareness training