Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs.

The activity has been codenamed VEIL#DROP by Securonix. It's suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on a website (legitimate or otherwise) under the attacker's control.

"The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled," researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.

At a high level, the PowerShell script is responsible for retrieving a next-stage payload hosted on Blogger ("htlwub00klocate.blogspot[.]com"), allowing the attackers to bypass reputation-based defenses by abusing Google's trusted infrastructure as a stager and to blend in with legitimate web activity.

The downloaded PowerShell payload acts as a conduit for loading a benign web page like Google, creating the impression that a PDF document is opened, while the infection sequence proceeds silently in the background, ultimately leading to the deployment of PureLogs Stealer, a .NET-based infostealer known for harvesting a wide array of sensitive data from compromised hosts.