Threat Research

New Evasive Campaign Delivers LegionLoader via Fake CAPTCHA & CloudFlare Turnstile

Netskope
New Evasive Campaign Delivers LegionLoader via Fake CAPTCHA & CloudFlare Turnstile

This article discusses multiple phishing and malware campaigns targeting individuals seeking PDF documents. The campaigns utilize deceptive techniques, including fake CAPTCHAs, to lead victims to download the LegionLoader malware, which ultimately installs a malicious browser extension for stealing sensitive data. Affected: Netskope customers, technology sector, financial services sector

Keypoints :

  • Netskope Threat Labs observed phishing and malware campaigns starting February 2025.
  • The campaigns target users searching for PDF documents on search engines.
  • Victims are directed to malicious websites disguised as document download sites.
  • Fake CAPTCHAs and CloudFlare Turnstile are used to distribute LegionLoader malware.
  • The LegionLoader malware installs a malicious browser extension that steals user data.
  • The attacks primarily target over 140 Netskope customers in North America, Asia, and Southern Europe.
  • Legitimate VMware-signed applications are exploited to sideload malicious DLLs.
  • Custom algorithms are used to obfuscate the LegionLoader shellcode.
  • The malicious extension impersonates a legitimate “Save to Google Drive” extension.
  • Permissions granted to the extension allow extensive access to user data and clipboard contents.

MITRE Techniques :

  • Drive-by Compromise (T1189): The threat involves users being lured to a malicious website through search engines leading to drive-by downloads.
  • Execution through Application Layer Protocol (T1203): Victims execute the LegionLoader payload via running a Windows MSI installer.
  • Credential Dumping (T1003): The malicious extension collects sensitive user credentials and browsing data.
  • Process Hollowing (T1093): The malware uses Process Hollowing to load the LegionLoader payload into a newly created “explorer.exe” process.
  • Obfuscated Files or Information (T1027): Custom algorithms obfuscate the LegionLoader shellcode and PowerShell scripts to evade detection.

Indicator of Compromise :

  • [Domain] attacker-controlled website (exact details not specified)
  • [Hash] 0x1470 bytes (LegionLoader shellcode)
  • [Hash] 0x36400 bytes (LegionLoader payload)
  • [Executable] mksSandbox.exe (verified as malicious)
  • [File name] jp_ver.dat (7-zip archive with malicious DLLs)

Full Story: https://www.netskope.com/blog/new-evasive-campaign-delivers-legionloader-via-fake-captcha-cloudflare-turnstile