ForumsGeneralVEIL#DROP: Abusing Blogger Infrastructure to Distribute PureLogs

VEIL#DROP: Abusing Blogger Infrastructure to Distribute PureLogs

NetGuard_Mike 7/1/2026 USER

Just came across the Securonix report on the VEIL#DROP malware chain, and it’s a stark reminder of why we can’t trust domains based solely on reputation. The campaign is utilizing Blogger—a Google-owned platform—to distribute the PureLogs information stealer.

What makes this tricky is the multi-stage nature. The initial payload isn't a direct binary executable but likely an obfuscated script hosted on a legitimate-looking blogspot page. Once a user lands there (either via a drive-by download or phishing link), the chain triggers. PureLogs is particularly nasty because it targets a wide range of browsers (Chrome, Edge, Firefox) and siphons off cryptocurrency wallet data and cookies.

Detection is difficult because blogspot.com is whitelisted in most orgs. We need to focus on the behavioral artifacts. PureLogs typically exfiltrates data via Telegram or Discord webhooks, but the C2 check-in often happens through these parked subdomains.

I’ve updated our detection logic to flag when a browser process spawns a shell that reaches out to Blogger subdomains. Here is a PowerShell snippet you can use for triage on endpoints to identify suspicious connections to these domains:

Get-NetTCPConnection | Where-Object { $_.State -eq "Established" } | ForEach-Object {
    $process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    $remoteIP = $_.RemoteAddress
    try {
        $hostEntry = [System.Net.Dns]::GetHostEntry($remoteIP)
        if ($hostEntry.HostName -match "blogspot\.com") {
            [PSCustomObject]@{
                Process = $process.ProcessName
                PID = $process.Id
                RemoteHost = $hostEntry.HostName
                Timestamp = Get-Date
            }
        }
    } catch {}
}

For those hunting this, are you seeing persistence primarily via Registry Run keys, or have you observed them abusing Scheduled Tasks to bypass User Access Control?

TA
TabletopEx_Quinn7/1/2026

We caught a similar variant last month targeting our marketing team. The hardest part was the drive-by nature; users didn't even have to click a download button, just a malicious ad redirect on a sketchy news site. We ended up blocking access to blogspot.com via our secure web gateway for non-IT departments. It caused some noise with legitimate research, but the risk of PureLogs exfiltrating 2FA tokens was too high.

CR
CryptoKatie7/1/2026

Nice catch on the PowerShell script. We found that PureLogs often uses curl or wget (invoked via PowerShell) to fetch the next stage from the Blogger page content. Another IoC to look for is high CPU usage from a dotnet process located in AppData\Local\Temp. We added this YARA rule to our EDR to catch the obfuscated dropper:

rule PureLogs_Generic {
    meta:
        description = "Detects PureLogs Stealer characteristics"
        author = "SecurityArsenal"
    strings:
        $s1 = "blogspot" nocase
        $s2 = "telegram" nocase
        $s3 = { 48 8B C4 55 56 57 41 54 41 55 } // Common prolog
    condition:
        2 of them
}
PA
PatchTuesday_Sam7/1/2026

From a Blue Team perspective, this is a nightmare for allow-listing. We've moved to inspecting TLS traffic, but that's resource-intensive. One thing we noticed is that the Blogger pages used in VEIL#DROP often have very low word counts and high ratios of encoded text. We wrote a simple Python script to scrape our proxy logs for blogspot URLs that return content with >50% non-ASCII characters, which helped us flag the C2 channels before the payload executed.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created7/1/2026
Last Active7/1/2026
Replies3
Views89