{
  "name": "Evasive Campaign Pushing Legion Loader Malware",
  "slug": "evasive-campaign-pushing-legion-loader-malware",
  "description": "A highly evasive web campaign is exploiting clipboard hijacking to trick users into running MSI files containing Legion Loader malware. The campaign employs multiple cloaking strategies, including captcha pages, disguised blog sites, and dynamic download URLs. The malicious script instructs victims to paste content into a Run window, which downloads and displays the MSI file. The campaign uses TDS traffic or affiliate links with short-lived parameters to lead victims to malicious download pages. When accessed without valid parameters, the URLs display benign content. The campaign's infrastructure includes 76 domains resolving to a single IP address, all disguised as blog sites.",
  "published": "2025-04-11T07:01:47+00:00",
  "created_at": "2025-04-11T07:01:47+00:00",
  "modified_at": "2025-04-11T08:25:59+00:00",
  "created_at_opencti": "2025-04-11T07:01:47+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-11",
    "affiliate links",
    "clipboard hijacking",
    "cloaking",
    "pastejacking"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "http://yubit.co.za/YmrXLWy8?keyword=mahatma%20gandhi%20biography%20pdf%20download"
      },
      {
        "id": "",
        "name": "http://yoyep.co.za/YmrXLWy8?keyword=binomial%20theorem%20solution%20pdf%20worksheets%20answers%20answer/"
      },
      {
        "id": "",
        "name": "http://tevav.co.za/YmrXLWy8?keyword=camera%20canon%20powershot%20sx20is%20%C3%A9%20boa"
      },
      {
        "id": "",
        "name": "http://norin.co.za/YmrXLWy8?keyword=bobbi%20brown%20makeup%20artist%20training"
      },
      {
        "id": "",
        "name": "http://loheb.co.za/YmrXLWy8?keyword=paulo%20freire%20the%20banking%20concept%20of%20education%20analysis"
      },
      {
        "id": "",
        "name": "http://lovig.co.za/YmrXLWy8?keyword=modelo%20de%20memor%C3%A1ndum%20de%20llamada%20de%20atenci%C3%B3n%20por%20tardanza"
      },
      {
        "id": "",
        "name": "http://ggtraff.ru/wb?keyword=spill%20guts%20meaning%20in%20urdu"
      },
      {
        "id": "",
        "name": "http://gettraff.ru/wb?keyword=moneygram%20appleton%20wi"
      },
      {
        "id": "",
        "name": "http://fecuq.co.za/YmrXLWy8?keyword=%C3%A1lgebra%20y%20trigonometr%C3%ADa%20con%20geometr%C3%ADa%20anal%C3%ADtica%20ejercicios%20resueltos"
      },
      {
        "id": "",
        "name": "http://fecuq.co.za/YmrXLWy8?keyword=wilderness%20and%20the%20american%20mind%20chapter%20summaries"
      },
      {
        "id": "",
        "name": "http://colod.co.za/YmrXLWy8?keyword=how%20much%20is%20a%2020%20inch%20tv%20at%20walmart"
      },
      {
        "id": "",
        "name": "yoyep.co.za"
      },
      {
        "id": "",
        "name": "yubit.co.za"
      },
      {
        "id": "",
        "name": "webfilelinkallez.com"
      },
      {
        "id": "",
        "name": "webfile-link-all-easy.com"
      },
      {
        "id": "",
        "name": "yourdownloadbest.com"
      },
      {
        "id": "",
        "name": "upgradeupload.com"
      },
      {
        "id": "",
        "name": "themoreuploadllc.com"
      },
      {
        "id": "",
        "name": "thefile-share-every-fun.com"
      },
      {
        "id": "",
        "name": "thebetterfileupload.com"
      },
      {
        "id": "",
        "name": "tevav.co.za"
      },
      {
        "id": "",
        "name": "tappa-liter.com"
      },
      {
        "id": "",
        "name": "slud2mill.com"
      },
      {
        "id": "",
        "name": "sendfilelinkalleasy.com"
      },
      {
        "id": "",
        "name": "seid-incaic-mayda.com"
      },
      {
        "id": "",
        "name": "realmoreupload.com"
      },
      {
        "id": "",
        "name": "realfileshareallfun24.com"
      },
      {
        "id": "",
        "name": "realfilemindshareeveryfun.com"
      },
      {
        "id": "",
        "name": "realfilepartallfun.com"
      },
      {
        "id": "",
        "name": "realfilemindparteveryfun.com"
      },
      {
        "id": "",
        "name": "realfile-share-every-fun.com"
      },
      {
        "id": "",
        "name": "realcreditfileparteveryfun.com"
      },
      {
        "id": "",
        "name": "premiumknowledgegood24.com"
      },
      {
        "id": "",
        "name": "premiumexperiencegood.com"
      },
      {
        "id": "",
        "name": "pahmi-argyll-shivey.com"
      },
      {
        "id": "",
        "name": "norin.co.za"
      },
      {
        "id": "",
        "name": "mnem2ptt4brr-cats.com"
      },
      {
        "id": "",
        "name": "lovig.co.za"
      },
      {
        "id": "",
        "name": "loheb.co.za"
      },
      {
        "id": "",
        "name": "leto2nazi-glee.com"
      },
      {
        "id": "",
        "name": "infoaccessnetwork.com"
      },
      {
        "id": "",
        "name": "hine-crull-cared-exiler.com"
      },
      {
        "id": "",
        "name": "hell4rec.com"
      },
      {
        "id": "",
        "name": "greatknowledgegood24.com"
      },
      {
        "id": "",
        "name": "globalgreatexperiencegood.com"
      },
      {
        "id": "",
        "name": "great-experience-good24.com"
      },
      {
        "id": "",
        "name": "globalfileshareeveryfun24.com"
      },
      {
        "id": "",
        "name": "globalfileshareeveryfun.com"
      },
      {
        "id": "",
        "name": "globalfile-link-all-easy.com"
      },
      {
        "id": "",
        "name": "ggtraff.ru"
      },
      {
        "id": "",
        "name": "gettraff.ru"
      },
      {
        "id": "",
        "name": "fundus-dung-hause-tellee.com"
      },
      {
        "id": "",
        "name": "filelinkallezcompany.com"
      },
      {
        "id": "",
        "name": "fileshareallfun24.com"
      },
      {
        "id": "",
        "name": "fileparteveryfun24.com"
      },
      {
        "id": "",
        "name": "fileaccessnow.com"
      },
      {
        "id": "",
        "name": "fileaccessnetworksecurity.com"
      },
      {
        "id": "",
        "name": "fileaccessibilitynetwork.com"
      },
      {
        "id": "",
        "name": "file-share-every-fun.com"
      },
      {
        "id": "",
        "name": "fileaccesschannel.com"
      },
      {
        "id": "",
        "name": "file-link-all-simpleshop.com"
      },
      {
        "id": "",
        "name": "file-link-all-easy.com"
      },
      {
        "id": "",
        "name": "fecuq.co.za"
      },
      {
        "id": "",
        "name": "file-autolink-all-easy.com"
      },
      {
        "id": "",
        "name": "duad-tess-piki.com"
      },
      {
        "id": "",
        "name": "ecb4teg4sepd4bunt.com"
      },
      {
        "id": "",
        "name": "doup2dalf4if4shou.com"
      },
      {
        "id": "",
        "name": "creditfilechainalleasycompany.com"
      },
      {
        "id": "",
        "name": "creditfilechainallsimple.com"
      },
      {
        "id": "",
        "name": "creditfileparteveryfun.com"
      },
      {
        "id": "",
        "name": "creditfileaccessnetworkshop.com"
      },
      {
        "id": "",
        "name": "creditfile-share-every-fun.com"
      },
      {
        "id": "",
        "name": "colod.co.za"
      },
      {
        "id": "",
        "name": "carien-shafii.com"
      },
      {
        "id": "",
        "name": "cannel-hubshi-tock-perit.com"
      },
      {
        "id": "",
        "name": "byrls-unfar-tankka.com"
      },
      {
        "id": "",
        "name": "best-knowledge-top.com"
      },
      {
        "id": "",
        "name": "best-knowledge-good24.com"
      },
      {
        "id": "",
        "name": "berapt-medii.com"
      },
      {
        "id": "",
        "name": "alae-bema4om-ef.com"
      },
      {
        "id": "",
        "name": "ated-troy.com"
      },
      {
        "id": "",
        "name": "eef55d89a46dd43a2bd72852a5bd2929458da58f293e65f951a1d17c3a784440"
      },
      {
        "id": "",
        "name": "21df75dccea2946c1a28d9c46e722cdeaee00482a57bca9286cda59b172b2d9b"
      }
    ],
    "malware": [
      {
        "id": "8ba0001a-20ee-4411-93a2-38ae6238076c",
        "name": "Legion Loader",
        "slug": "legion-loader"
      }
    ],
    "attack_patterns": [
      {
        "id": "9c5a20d1-0df9-4e99-bcc5-0b731a78b5d1",
        "name": "T1608"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-31-IOCs-for-evasive-campaign-pushing-Legion-Loader.txt",
    "https://otx.alienvault.com/pulse/67f8da7be17ebfb8d197c6b1"
  ]
}