VEIL#DROP: Blogger-Hosted Chain Drops PureLogs Stealer

Researchers flag a multi-stage delivery scheme abusing Google's Blogger platform to stage PureLogs, an infostealer sold in underground forums.

ThreatVectr Newsdesk· 2 min read
VEIL#DROP: Blogger-Hosted Chain Drops PureLogs Stealer
Share

A new multi-stage delivery chain is quietly staging PureLogs — a commodity infostealer — through pages hosted on Google's Blogger platform.

The activity is tracked as VEIL#DROP. Attribution at this stage is thin. No named cluster has been tied to the campaign, and the tooling itself is off-the-shelf, which cuts against high-confidence actor claims either way.

The initial access vector is assessed with medium confidence as either spear-phishing or drive-by compromise. That distinction matters. Spear-phishing implies target selection; drive-by suggests opportunistic casting of a wide net. The available telemetry doesn't yet separate the two cleanly.

What's more interesting is the staging choice. Abusing legitimate platforms for payload hosting is a well-worn TTP overlapping with clusters like Storm-0324 and various loader affiliates who have historically parked droppers on GitHub, Discord CDN, and Google services. Blogger is a natural fit: TLS by default, a trusted parent domain, and content that survives casual URL reputation checks. Defenders who filter on domain reputation alone will miss it.

The chain reportedly stages intermediate scripts before pulling PureLogs itself. PureLogs is a .NET-based stealer marketed on Russian-language forums since roughly 2022, targeting browser credentials, crypto wallets, and desktop app tokens. It's cheap. That's part of why it shows up across unrelated intrusion sets — capability here does not equal a shared operator.

A few observations worth pulling out.

First, the use of Blogger as a payload dead-drop is not new but appears to be gaining traction among lower-tier crews. Similar staging on Blogspot subdomains has been documented in past Kimsuky operations catalogued under Mandiant's APT43 designation, though there's no infrastructure overlap suggesting a link here.

Second, PureLogs as the terminal payload argues against nation-state involvement. State crews occasionally bolt commodity stealers onto their kits for deniability, but the more common pattern is criminal traffers or initial access brokers monetizing infections directly.

Third, the multi-stage design — obfuscated loader, remote script pull, in-memory execution of the final stealer — matches the broader shift away from monolithic droppers. Detection engineers should focus on the parent-child process lineage of scripting hosts spawning .NET runtimes with outbound connections to Blogger-hosted URIs.

Indicators haven't been fully published at the time of writing. Hunts worth running now: PowerShell or wscript reaching out to *.blogspot.com with subsequent .NET assembly loads, and any unusual persistence keys pointing to LOLBin execution of remote content.

Call it what it is. A commodity stealer wearing slightly better packaging. But the platform-abuse angle is the part defenders should log, because the next crew to copy it may not be commodity at all.

© 2026 Threat Vectr