Veil#Drop PureLog Stealer in-memory delivery operation
Malware Activity
Summary
Hide ▲
Show ▼
Veil#Drop is delivering PureLog Stealer through a fileless chain that keeps payloads entirely in memory, reducing disk artifacts and raising the chance of evading detection. The operation abuses compromised websites, Blogspot pages, JavaScript, and PowerShell to steal credentials and other browser data from Windows systems. The loader also falls back to RegSvcs, InstallUtil, and MSBuild when the main path is blocked.
Related Happenings
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
BlackSanta EDR killer malware activity targeting HR departments
Malware Activity
H score20
First: 11.03.2026 00:57
Last: 11.03.2026 00:57
Sources 1
About this happening:
The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
BlackSanta EDR killer malware activity targeting HR departments
Malware ActivityAbout this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
LummaStealer infection surge via CastleLoader
Malware Activity
H score30
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
Campaign
H score33
First: 04.02.2026 19:24
Last: 04.02.2026 19:24
Sources 1
About this happening:
The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
CampaignAbout this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
ClickFix fake CAPTCHA campaign delivering Amatera
Campaign
H score35
First: 26.01.2026 23:42
Last: 26.01.2026 23:42
Sources 1
About this happening:
A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...
ClickFix fake CAPTCHA campaign delivering Amatera
CampaignAbout this happening: A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...
Timeline
-
01.07.2026 17:30 2 articles · 8d ago
Veil#Drop uses Blogspot and PowerShell to deliver PureLog Stealer in memory
Initial DisclosureSecuronix Threat Research named the fileless framework Veil#Drop and described a multi-stage chain that starts on a compromised website, uses a booby-trapped JavaScript file and PowerShell, then fetches attacker-controlled Blogspot payloads to load PureLog Stealer entirely in memory. The payloads use custom XOR encoding, reflection-based .NET loading, and fallback execution through Microsoft-signed utilities such as RegSvcs, InstallUtil and MSBuild, enabling credential theft, browser password and cookie harvesting, autofill collection, cryptocurrency wallet theft, and reduced disk artifacts.
Show sources
- Fileless Malware Abuses Google Blogspot to Deploy Infostealer in Memory — www.infosecurity-magazine.com — 01.07.2026 17:30
- Fileless Malware Abuses Google Blogspot to Deploy Infostealer in Memory — www.infosecurity-magazine.com — 01.07.2026 17:30