Alanna
River

Veil Malware: How Attackers Use Blogspot to Deliver Fileless Payloads

Alanna River

Jul 8, 2026

5 min read

Veil malware

The "What Happened"

  • SecurityWeek reported that Securonix uncovered a multi-stage malware delivery framework named Veil.
  • The veil malware framework abuses compromised websites, social engineering, Blogspot, PowerShell, and fileless techniques to infect users with information stealers.
  • The infection chain begins with a JavaScript file posing as a document, which launches PowerShell code and attempts to evade execution policies.
  • PowerShell retrieves additional payloads from attacker-controlled Blogspot pages hosted on Google infrastructure.
  • The Blogspot-hosted payload displays a decoy document, terminates specific processes, decrypts embedded content, and generates additional Blogspot URLs.
  • The campaign uses reflective .NET loading, XOR-obfuscated payloads, trusted Microsoft-signed binaries, and in-memory execution to reduce forensic artifacts.
  • The final objective reported by SecurityWeek is deployment of the PureLog information stealer.

A newly disclosed malware delivery framework known as Veil demonstrates how attackers are combining trusted cloud infrastructure, fileless execution, and multi-stage payload delivery to make endpoint compromise harder to detect. Rather than relying on a single malicious executable, the campaign chains together compromised websites, JavaScript, PowerShell, and Blogspot-hosted payloads to quietly deliver the PureLog information stealer while minimizing traditional forensic evidence.

For enterprise security teams, the significance extends beyond another malware family. The veil malware campaign illustrates a broader shift in attacker tradecraft: legitimate services and trusted binaries are increasingly being used to bypass conventional security controls, forcing organizations to strengthen visibility across script execution, identity, endpoint behavior, and network activity instead of relying solely on reputation-based detection.

How the Veil Attack Chain Works

The Veil malware (also referred to by Securonix as VEIL#DROP) campaign uses a layered execution chain that prioritizes stealth, trusted infrastructure, and in-memory execution over conventional malware delivery. Instead of delivering the final payload directly, each stage prepares the environment for the next, making the attack more resilient against signature-based detection and static analysis.

Stage 1: Initial Access

The attack begins with a JavaScript file disguised as a PDF document, such as transcript.pdf.js. Because Windows commonly hides known file extensions, users may only see transcript.pdf, increasing the likelihood of execution through Windows Script Host (WSH). The script launches PowerShell with execution policy bypass arguments, establishing the first stage of the infection chain.

Stage 2: Blogspot-Based Payload Delivery

Rather than downloading malware from attacker-owned infrastructure, the PowerShell script retrieves subsequent payloads from attacker-controlled Blogspot pages hosted on Google’s Blogger platform. Using a trusted cloud service allows outbound traffic to blend with legitimate web activity, potentially reducing the effectiveness of reputation-based URL filtering and domain-blocking controls.

The downloaded script also opens a benign webpage to create the impression that the requested document has loaded successfully while the malicious execution continues in the background.

Stage 3: Evasion and In-Memory Execution

After the secondary payload is retrieved, the framework employs multiple evasion techniques to minimize detection and forensic visibility, including:

  • XOR-obfuscated payloads that are decrypted only at runtime.
  • Dynamic generation of additional Blogspot URLs to retrieve later-stage components.
  • Dynamic appending of a random number of forward slashes (/) to Blogspot URLs, allowing requests to appear unique and helping bypass URL-based filtering and detection mechanisms.
  • Reflective .NET assembly loading, enabling payloads to execute directly from memory.
  • Use of Microsoft-signed Living-off-the-Land Binaries (LOLBins) such as RegSvcs, InstallUtil, MSBuild, and aspnet_compiler as fallback execution mechanisms if direct loading is blocked.
  • Fileless execution, reducing malicious artifacts written to disk and complicating post-compromise forensic analysis.

Stage 4: Final Payload

The final stage delivers PureLog(s) Stealer, a .NET-based information stealer designed to harvest sensitive data from compromised Windows systems. Reported targets include:

  • Browser credentials and saved passwords
  • Session cookies
  • Autofill data
  • Cryptocurrency wallet information
  • Host and system metadata

Stolen session cookies can be particularly valuable because they may enable attackers to hijack authenticated sessions without requiring the user’s password, depending on the target application’s session management controls.

cybersecurity-kit
Featured Resource

Cybersecurity kit

This resource kit will help your company adopt the right cybersecurity strategy to secure your business.

DOWNLOAD KIT

How Hexnode Helps Reduce the Risk

Campaigns like Veil highlight why organizations need layered endpoint security rather than relying on a single preventive control. By combining endpoint management, endpoint detection and response, and policy enforcement, organizations can reduce the attack surface and respond more quickly when suspicious activity is detected.

Hexnode UEM helps strengthen endpoint security by enabling organizations to:

  • Enforce device compliance policies to ensure endpoints meet organizational security requirements before accessing corporate resources.
  • Reduce the attack surface through device hardening, timely OS updates, patch management, and approved application policies.
  • Apply compliance-based access controls so noncompliant devices can be identified and remediated according to organizational policies.
  • Remotely remediate managed devices, helping IT teams respond quickly when endpoints are suspected of compromise or fall out of compliance.

Hexnode XDR complements these controls by providing visibility into endpoint activity that may indicate an attack in progress. Security teams can investigate behaviors such as:

  • Abnormal PowerShell execution
  • Suspicious parent-child process relationships
  • Indicators associated with fileless attack techniques
  • Potential credential theft activity
  • Suspicious outbound network connections that may warrant further investigation

When malicious activity is confirmed, security teams can respond quickly using Hexnode XDR’s One-Click Remediation capabilities, including Network Isolation to contain compromised endpoints and Process Kill to terminate malicious processes before they can progress further.

Together, Hexnode UEM and Hexnode XDR help organizations strengthen endpoint resilience by reducing opportunities for compromise, improving visibility into suspicious behavior, and enabling faster investigation and remediation of potentially affected devices.

Conclusion

The Veil malware campaign shows how modern attackers are moving beyond traditional delivery techniques. They abuse trusted cloud services, fileless execution, and legitimate system binaries to reduce their detection footprint. For enterprise security teams, the challenge is no longer just blocking known malware. They must also identify malicious behavior that blends into normal administrative activity.

Mitigating these attacks requires a defense-in-depth strategy that combines endpoint hardening, continuous monitoring, policy enforcement, and rapid incident response. Organizations that can detect anomalous script execution, enforce device compliance, and quickly investigate suspicious endpoint activity are better positioned to disrupt multi-stage attack chains before sensitive data is compromised.

As attackers continue to leverage trusted platforms to evade conventional defenses, strengthening endpoint visibility and maintaining proactive security controls remain essential for reducing organizational risk.

Share

Alanna River

I’m a technical content writer at Hexnode who loves simplifying tech. I break down complex ideas, remove the fluff, and help readers clearly understand our product for what it actually is: simple, reliable, and built to solve real problems.