LegionLoader exposed!
Essential information
- Published
- 10/02/2025 13:54
- Modified
- 10/02/2025 15:29
- Tags
- 2025-02-10 anti-sandbox brazil curlygate dll injection downloader drive-by-download legionloader msi multi-stage robotdropper satacom
- Related entities
- 108 observables, 1 intrusion sets (apt), 12 techniques (mitre), 4 malware, 1 others
Description
LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader malware that has gained significant traction recently, amassing over 2,000 samples in weeks. The campaign appears to have started on December 19, 2024, with Brazil being the most affected country. The malware is delivered through drive-by downloads from insecure websites, often using the .monster TLD for malicious redirections. It employs anti-sandbox techniques and uses a multi-stage infection process. The initial MSI file extracts and executes a malicious DLL, which then downloads and executes a second stage payload. The final payload communicates with command and control servers to potentially download additional malware.