Find notable cyber news and cases, enriched with sources, timelines, and signals.

Veil#Drop PureLog Stealer in-memory delivery operation

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

Veil#Drop is delivering PureLog Stealer through a fileless chain that keeps payloads entirely in memory, reducing disk artifacts and raising the chance of evading detection. The operation abuses compromised websites, Blogspot pages, JavaScript, and PowerShell to steal credentials and other browser data from Windows systems. The loader also falls back to RegSvcs, InstallUtil, and MSBuild when the main path is blocked.

Related Happenings

OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading

Malware Activity
H score20 First: 22.06.2026 16:20 Last: 22.06.2026 16:20 Sources 1

About this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
H score20 First: 11.03.2026 00:57 Last: 11.03.2026 00:57 Sources 1

About this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...

LummaStealer infection surge via CastleLoader

Malware Activity
H score30 First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT

Campaign
H score33 First: 04.02.2026 19:24 Last: 04.02.2026 19:24 Sources 1

About this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...

ClickFix fake CAPTCHA campaign delivering Amatera

Campaign
H score35 First: 26.01.2026 23:42 Last: 26.01.2026 23:42 Sources 1

About this happening: A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...

Timeline

  1. 01.07.2026 17:30 2 articles · 8d ago

    Veil#Drop uses Blogspot and PowerShell to deliver PureLog Stealer in memory

    Initial Disclosure

    Securonix Threat Research named the fileless framework Veil#Drop and described a multi-stage chain that starts on a compromised website, uses a booby-trapped JavaScript file and PowerShell, then fetches attacker-controlled Blogspot payloads to load PureLog Stealer entirely in memory. The payloads use custom XOR encoding, reflection-based .NET loading, and fallback execution through Microsoft-signed utilities such as RegSvcs, InstallUtil and MSBuild, enabling credential theft, browser password and cookie harvesting, autofill collection, cryptocurrency wallet theft, and reduced disk artifacts.

    Show sources