SecurityWeek reported that Securonix uncovered a multi-stage malware delivery framework named Veil.
The veil malware framework abuses compromised websites, social engineering, Blogspot, PowerShell, and fileless techniques to infect users with information stealers.
The infection chain begins with a JavaScript file posing as a document, which launches PowerShell code and attempts to evade execution policies.
PowerShell retrieves additional payloads from attacker-controlled Blogspot pages hosted on Google infrastructure.
The Blogspot-hosted payload displays a decoy document, terminates specific processes, decrypts embedded content, and generates additional Blogspot URLs.
The campaign uses reflective .NET loading, XOR-obfuscated payloads, trusted Microsoft-signed binaries, and in-memory execution to reduce forensic artifacts.
The final objective reported by SecurityWeek is deployment of the PureLog information stealer.
A newly disclosed malware delivery framework known as Veil demonstrates how attackers are combining trusted cloud infrastructure, fileless execution, and multi-stage payload delivery to make endpoint compromise harder to detect. Rather than relying on a single malicious executable, the campaign chains together compromised websites, JavaScript, PowerShell, and Blogspot-hosted payloads to quietly deliver the PureLog information stealer while minimizing traditional forensic evidence.
For enterprise security teams, the significance extends beyond another malware family. The veil malware campaign illustrates a broader shift in attacker tradecraft: legitimate services and trusted binaries are increasingly being used to bypass conventional security controls, forcing organizations to strengthen visibility across script execution, identity, endpoint behavior, and network activity instead of relying solely on reputation-based detection.
The Veil malware (also referred to by Securonix as VEIL#DROP) campaign uses a layered execution chain that prioritizes stealth, trusted infrastructure, and in-memory execution over conventional malware delivery. Instead of delivering the final payload directly, each stage prepares the environment for the next, making the attack more resilient against signature-based detection and static analysis.
Stage 1: Initial Access
The attack begins with a JavaScript file disguised as a PDF document, such as transcript.pdf.js. Because Windows commonly hides known file extensions, users may only see transcript.pdf, increasing the likelihood of execution through Windows Script Host (WSH). The script launches PowerShell with execution policy bypass arguments, establishing the first stage of the infection chain.
Stage 2: Blogspot-Based Payload Delivery
Rather than downloading malware from attacker-owned infrastructure, the PowerShell script retrieves subsequent payloads from attacker-controlled Blogspot pages hosted on Google’s Blogger platform. Using a trusted cloud service allows outbound traffic to blend with legitimate web activity, potentially reducing the effectiveness of reputation-based URL filtering and domain-blocking controls.
The downloaded script also opens a benign webpage to create the impression that the requested document has loaded successfully while the malicious execution continues in the background.
Top 10 security challenges XDR helps address for enterprise teams
XDR helps enterprises reduce alert fatigue, connect threat signals, and respond faster to complex cyberattacks.
Stage 3: Evasion and In-Memory Execution
After the secondary payload is retrieved, the framework employs multiple evasion techniques to minimize detection and forensic visibility, including:
XOR-obfuscated payloads that are decrypted only at runtime.
Dynamic generation of additional Blogspot URLs to retrieve later-stage components.
Dynamic appending of a random number of forward slashes (/) to Blogspot URLs, allowing requests to appear unique and helping bypass URL-based filtering and detection mechanisms.
Reflective .NET assembly loading, enabling payloads to execute directly from memory.
Use of Microsoft-signed Living-off-the-Land Binaries (LOLBins) such as RegSvcs, InstallUtil, MSBuild, and aspnet_compiler as fallback execution mechanisms if direct loading is blocked.
Fileless execution, reducing malicious artifacts written to disk and complicating post-compromise forensic analysis.
Stage 4: Final Payload
The final stage delivers PureLog(s) Stealer, a .NET-based information stealer designed to harvest sensitive data from compromised Windows systems. Reported targets include:
Browser credentials and saved passwords
Session cookies
Autofill data
Cryptocurrency wallet information
Host and system metadata
Stolen session cookies can be particularly valuable because they may enable attackers to hijack authenticated sessions without requiring the user’s password, depending on the target application’s session management controls.
Featured Resource
Cybersecurity kit
This resource kit will help your company adopt the right cybersecurity strategy to secure your business.
Campaigns like Veil highlight why organizations need layered endpoint security rather than relying on a single preventive control. By combining endpoint management, endpoint detection and response, and policy enforcement, organizations can reduce the attack surface and respond more quickly when suspicious activity is detected.
Hexnode UEM helps strengthen endpoint security by enabling organizations to:
Enforce device compliance policies to ensure endpoints meet organizational security requirements before accessing corporate resources.
Reduce the attack surface through device hardening, timely OS updates, patch management, and approved application policies.
Apply compliance-based access controls so noncompliant devices can be identified and remediated according to organizational policies.
Remotely remediate managed devices, helping IT teams respond quickly when endpoints are suspected of compromise or fall out of compliance.
Hexnode XDR complements these controls by providing visibility into endpoint activity that may indicate an attack in progress. Security teams can investigate behaviors such as:
Abnormal PowerShell execution
Suspicious parent-child process relationships
Indicators associated with fileless attack techniques
Potential credential theft activity
Suspicious outbound network connections that may warrant further investigation
When malicious activity is confirmed, security teams can respond quickly using Hexnode XDR’s One-Click Remediation capabilities, including Network Isolation to contain compromised endpoints and Process Kill to terminate malicious processes before they can progress further.
Together, Hexnode UEM and Hexnode XDR help organizations strengthen endpoint resilience by reducing opportunities for compromise, improving visibility into suspicious behavior, and enabling faster investigation and remediation of potentially affected devices.
Conclusion
The Veil malware campaign shows how modern attackers are moving beyond traditional delivery techniques. They abuse trusted cloud services, fileless execution, and legitimate system binaries to reduce their detection footprint. For enterprise security teams, the challenge is no longer just blocking known malware. They must also identify malicious behavior that blends into normal administrative activity.
Mitigating these attacks requires a defense-in-depth strategy that combines endpoint hardening, continuous monitoring, policy enforcement, and rapid incident response. Organizations that can detect anomalous script execution, enforce device compliance, and quickly investigate suspicious endpoint activity are better positioned to disrupt multi-stage attack chains before sensitive data is compromised.
As attackers continue to leverage trusted platforms to evade conventional defenses, strengthening endpoint visibility and maintaining proactive security controls remain essential for reducing organizational risk.
Try Hexnode free for 14 days
Ready to strengthen your endpoint security? Sign in to Hexnode to get started.
I’m a technical content writer at Hexnode who loves simplifying tech. I break down complex ideas, remove the fluff, and help readers clearly understand our product for what it actually is: simple, reliable, and built to solve real problems.