Fileless PureLog Stealer Campaign Exploits Compromised Websites

Fileless PureLog Stealer Campaign Exploits Compromised Websites

First seen 3 Jul 2026, 09:25 UTC Infosecurity-MagazineGbhackerswww.securonix.com 82% similarity 69.5
Share:

Article Content

Browse articles
ThreatCluster

A sophisticated cyber campaign is leveraging compromised websites and a malicious JavaScript file named transcript.pdf.js to deploy PureLog Stealer, a .NET-based infostealer. The attack uses a fileless infection method, primarily through PowerShell and trusted Google Blogspot infrastructure, to execute payloads in memory, leaving minimal traces on disk. Victims are tricked into opening a file that appears to be a PDF, which actually executes a script to download the malware. PureLog Stealer targets major web browsers and cryptocurrency wallets, stealing sensitive data such as credentials, cookies, and autofill information. The campaign employs advanced evasion techniques, including XOR encoding and the use of legitimate Microsoft binaries to blend malicious activities with normal operations. This approach complicates detection and response efforts for security teams. Securonix has identified the framework as Veil#Drop, emphasizing the need for vigilance against such stealthy attacks.

Key Points: • PureLog Stealer uses a fileless infection method, executing entirely in memory. • The attack vector involves a malicious JavaScript file disguised as a PDF. • Stolen data includes browser credentials and cryptocurrency wallet information.

ThreatCluster AI

Timeline

2026-07-01
Securonix identifies Veil#Drop framework
Securonix reported on the use of compromised websites and Google Blogspot to deliver PureLog Stealer without leaving traces on disk.
Infosecurity-Magazine
2026-07-03
GBhackers reports on PureLog Stealer campaign
GBhackers published details on the layered infection chain and the use of social engineering techniques in the PureLog Stealer campaign.
Gbhackers

Community

Browse all →