CyberSecurity news
FlagThis
Mandvi@Cyber Security News
//
Netskope Threat Labs has uncovered a new evasive campaign that uses fake CAPTCHAs and CloudFlare Turnstile to deliver the LegionLoader malware. This sophisticated attack targets individuals searching for PDF documents online, tricking them into downloading malware that installs a malicious browser extension. This extension is designed to steal sensitive user data. The campaign has been active since February 2025 and has impacted over 140 customers.
The attack begins when victims are lured to malicious websites after searching for specific PDF documents. These sites present fake CAPTCHAs. Interacting with the fake CAPTCHA redirects the victim through a Cloudflare Turnstile page to a notification prompt. If the user enables browser notifications, they are directed to download what they believe is their intended document. However, this process executes a command that downloads a malicious MSI installer.
Upon execution, the MSI file installs a program named "Kilo Verfair Tools" which sideloads a malicious DLL, initiating the LegionLoader infection. The LegionLoader payload uses a custom algorithm to deobfuscate shellcode and then injects the payload into an "explorer.exe" process. This ultimately leads to the installation of a malicious browser extension, often masquerading as "Save to Google Drive". This extension steals sensitive information like clipboard data, cookies, and browsing history. The affected sectors include technology and business services, retail, and telecommunications.
ImgSrc: blogger.googleu
References :
The attack begins when victims are lured to malicious websites after searching for specific PDF documents. These sites present fake CAPTCHAs. Interacting with the fake CAPTCHA redirects the victim through a Cloudflare Turnstile page to a notification prompt. If the user enables browser notifications, they are directed to download what they believe is their intended document. However, this process executes a command that downloads a malicious MSI installer.
Upon execution, the MSI file installs a program named "Kilo Verfair Tools" which sideloads a malicious DLL, initiating the LegionLoader infection. The LegionLoader payload uses a custom algorithm to deobfuscate shellcode and then injects the payload into an "explorer.exe" process. This ultimately leads to the installation of a malicious browser extension, often masquerading as "Save to Google Drive". This extension steals sensitive information like clipboard data, cookies, and browsing history. The affected sectors include technology and business services, retail, and telecommunications.
ImgSrc: blogger.googleu
Share:
References :
- Cyber Security News: LegionLoader Delivered Through Fake CAPTCHAs and Abused Cloudflare Turnstile by Threat Actors
- cybersecuritynews.com: Threat Actors Using Fake CAPTCHAs and CloudFlare Turnstile to Deliver LegionLoader
- gbhackers.com: Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader
- Virus Bulletin: The Netskope Threat Labs team discovered a campaign abusing fake CAPTCHA & CloudFlare Turnstile to deliver LegionLoader.
- securityonline.info: New Evasive Campaign Uses Fake CAPTCHAs to Deliver LegionLoader
- gbhackers.com: Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader
- Threat Labs - Netskope: The Netskope Threat Labs team discovered a campaign abusing fake CAPTCHA & CloudFlare Turnstile to deliver LegionLoader.
Classification:
- HashTags: #Malware #Phishing #LegionLoader
- Company: Cloudflare
- Target: Individuals searching for PDF documents
- Attacker: Netskope Threat Labs
- Product: Cloudflare Turnstile
- Feature: Fake Captchas
- Malware: LegionLoader
- Type: Malware
- Severity: Medium