{ "name": "LegionLoader exposed!", "slug": "legionloader-exposed", "description": "LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader malware that has gained significant traction recently, amassing over 2,000 samples in weeks. The campaign appears to have started on December 19, 2024, with Brazil being the most affected country. The malware is delivered through drive-by downloads from insecure websites, often using the .monster TLD for malicious redirections. It employs anti-sandbox techniques and uses a multi-stage infection process. The initial MSI file extracts and executes a malicious DLL, which then downloads and executes a second stage payload. The final payload communicates with command and control servers to potentially download additional malware.", "published": "2025-02-10T12:54:00+00:00", "created_at": "2025-02-10T12:54:00+00:00", "modified_at": "2025-02-10T14:29:40+00:00", "created_at_opencti": "2025-02-10T12:54:00+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-02-10", "anti-sandbox", "brazil", "curlygate", "dll injection", "downloader", "drive-by-download", "legionloader", "msi", "multi-stage", "robotdropper", "satacom" ], "related_entities": { "observables": [ { "id": "", "name": "https://webrecentapp.monster/" }, { "id": "", "name": "https://webnewapp.monster/" }, { "id": "", "name": "https://webabilityapp.monster/" }, { "id": "", "name": "https://topstarapp.monster/" }, { "id": "", "name": "https://sendspeed.monster/" }, { "id": "", "name": "https://saveactiveapps.monster/" }, { "id": "", "name": "https://safepowerapp.monster/" }, { "id": "", "name": "https://safegrandapp.monster/" }, { "id": "", "name": "https://runstarapp.monster/" }, { "id": "", "name": "https://linefreeapp.monster" }, { "id": "", "name": "https://getglobal.monster" }, { "id": "", "name": "https://freepowerapp.monster/" }, { "id": "", "name": "https://freeleaderapp.monster/" }, { "id": "", "name": "https://extragrandapp.monster/" }, { "id": "", "name": "https://eliteleaderapp.monster/" }, { "id": "", "name": "https://cleanactiveapp.monster/" }, { "id": "", "name": "http://vikincdesigns.com/front.php" }, { "id": "", "name": "http://lamotionpicture.com/front.php" }, { "id": "", "name": "http://flash3hit.com/front.php" }, { "id": "", "name": "http://flash-hit.com/front.php" }, { "id": "", "name": "http://fatal-hit.com/front.php" }, { "id": "", "name": "https://topgrandapp.monster/" }, { "id": "", "name": "https://elitenewapp.monster/" }, { "id": "", "name": "https://dipsos-troak.com/s/dl/AF91XGf9YAUA0oICAEVTFwAMAAAAAACx/051247.7z" }, { "id": "", "name": "https://dipsos-troak.com/s/dl/AD6CXWf9YAUA0oICAEVTFwAMAAAAAABB/011258.7z" }, { "id": "", "name": "https://dipsos-troak.com" }, { "id": "", "name": "vikincdesigns.com" }, { "id": "", "name": "lamotionpicture.com" }, { "id": "", "name": "flash3hit.com" }, { "id": "", "name": "flash-hit.com" }, { "id": "", "name": "fatal-hit.com" }, { "id": "", "name": "dipsos-troak.com" }, { "id": "", "name": "writer.cc" }, { "id": "", "name": "util.cc" }, { "id": "", "name": "test.cc" }, { "id": "", "name": "sqlite.cc" }, { "id": "", "name": "signature.cc" }, { "id": "", "name": "reader.cc" }, { "id": "", "name": "portable.cc" }, { "id": "", "name": "points.cc" }, { "id": "", "name": "instruction.cc" }, { "id": "", "name": "graph.cc" }, { "id": "", "name": "differ.cc" }, { "id": "", "name": "contributing.md" }, { "id": "", "name": "config.cc" }, { "id": "", "name": "classifier.cc" }, { "id": "", "name": "colors.cc" }, { "id": "", "name": "webrecentapp.monster" }, { "id": "", "name": "webabilityapp.monster" }, { "id": "", "name": "webnewapp.monster" }, { "id": "", "name": "topgrandapp.monster" }, { "id": "", "name": "topstarapp.monster" }, { "id": "", "name": "sendspeed.monster" }, { "id": "", "name": "saveactiveapps.monster" }, { "id": "", "name": "safepowerapp.monster" }, { "id": "", "name": "safegrandapp.monster" }, { "id": "", "name": "runstarapp.monster" }, { "id": "", "name": "linefreeapp.monster" }, { "id": "", "name": "getglobal.monster" }, { "id": "", "name": "freepowerapp.monster" }, { "id": "", "name": "freeleaderapp.monster" }, { "id": "", "name": "extragrandapp.monster" }, { "id": "", "name": "elitenewapp.monster" }, { "id": "", "name": "eliteleaderapp.monster" }, { "id": "", "name": "cleanactiveapp.monster" }, { "id": "", "name": "f4f4dd8a1fca44d6d7c78da7dc5741b91250eabf8faae79604c786672ea2efb8" }, { "id": "", "name": "f1064a9546766a69b2df901a0d9df31d31b01c6507cf614ef3ab73f5869af524" }, { "id": "", "name": "eaaec1cc3ee9a3d590d17c73ab7b174354c1c7be13d26026891424289d0c57fe" }, { "id": "", "name": "e88cb0e892537a1dfd7d7d7a4802caeee43d25f871602466a735df0eb5096eb3" }, { "id": "", "name": "e69a7a881daca7637220d0407454e678ef3a9cf373406b363179f002acd8144d" }, { "id": "", "name": "d8f2f667708a14734a20d7731ab659fa1ab23ddd25ee96ba4ca33fedf4b7c613" }, { "id": "", "name": "d43590b090ac1ece44ded29b03301323958e344394e94c439999f6a2d0648c53" }, { "id": "", "name": "d2bcc865d00890a3ba675dc1952c3470205dc9811d4fb354a0b44630879df7c7" }, { "id": "", "name": "d1a0115f4afe30d9a973cb18bf95d34b67b2d548b4d49989fd0e36399dc562d0" }, { "id": "", "name": "cd72eaba97bb94947529a1e652e2d1cc7197b6224e00bf39e55ad634b7e82047" }, { "id": "", "name": "cd0a77c945f9eb2a8e0cc7b16f00b8426b737618da06df7e65c1913eefbcc18b" }, { "id": "", "name": "b974015e21e86ca6c89545e86e69732d4dd6e41d588aeb31e4e112a6cd0e237f" }, { "id": "", "name": "b59e172cda955322b0cbdc152f723b82eef222014a631dc3b1d8fe4144480374" }, { "id": "", "name": "b1cff28f26270779d53e14797430d77d9e44911976c916966e4ab2049aa5232e" }, { "id": "", "name": "a6b5759a273fd6df4dcb0f5c82935b4b60a6f28bfb4d69b6c7c503c8614c39d0" }, { "id": "", "name": "9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462" }, { "id": "", "name": "8134948177ca6fc350b4c651f27137eaef8dabbb2daf9a1d0447bf1102cfd7d9" }, { "id": "", "name": "82eda9820fc42229b2f75d075ef34d11d1b4feb598983640226770c5e2cf8475" }, { "id": "", "name": "7e9d148d6ebcf927292bba0948ab4d006cb0667084a7f43c04ab7d7efcb9074b" }, { "id": "", "name": "77bbf883dc365ca72fa4e5cd203055a2e14787fc363fbf3409ca266c0607185e" }, { "id": "", "name": "76cbe366ea370235dfea2d72378f9d946e49370b4c7bac58e99073e117062e1f" }, { "id": "", "name": "75cdf91e7f10807b81e9cc9754dc37d447d46912537f585e6f6b3e2a84fdb7df" }, { "id": "", "name": "74ed663ad5369aed6f784d601c1755bbb12ab5df4c5111599332b1bf057d8fe9" }, { "id": "", "name": "66241b0c08194263eeb62bae9c4e8ef7e38bb447e671638c9c340d305e23af16" }, { "id": "", "name": "5b790d2d085d2498aa63822812562acc256a26febae6cc78563ba656eb9d0c1f" }, { "id": "", "name": "5f01f481065fefdf0c34c7f1e0a5dd527857962dae46bcbddb4a2b941bf5a3dc" }, { "id": "", "name": "4df98a4f9ecacf1f1676814ad5980dd94d7d33ce4b7d9aec9d96f3c3ea602363" }, { "id": "", "name": "4c2c0de6474c17486e5abe2323da0abe4af395a89d0cc46994265ca7719e4ccc" }, { "id": "", "name": "4c3772e12e710645341f18015c05f67e8f320dd13a4259eff05dacca4c664244" }, { "id": "", "name": "49c74021ab818ff7a07c184c920585b96000e9079d5beaed3a3dc0ed2fd4834b" }, { "id": "", "name": "4707b17284e0bdbb92d915e66a8fe4dff18441c958a5230c786d5af6fa05b4bd" }, { "id": "", "name": "41c1006feead9af3e9a563e2814acc8550d36b991e0998015cee00ebb0ac4e85" }, { "id": "", "name": "3938e304ddb11dc02b514e10daa2810bc91fd963e007f5bfba789846e08c6b8e" }, { "id": "", "name": "2eae05e829f353c9a8d01683187eb759dbf73f90ccd435f03d46761b03247fbd" }, { "id": "", "name": "23f064df01ee9eedf9e1341185505b86148873ccc0a922c64bb085ceb5b091fc" }, { "id": "", "name": "27e48b5e7925fdc17bef8b7efb8576ee336dbfba31b5f3296bfa9d33c906e385" }, { "id": "", "name": "23d0db70ba7848789fa117d25f2e94936cf06e58a03fc36647defdd91bf6f1ca" }, { "id": "", "name": "21d325a59140755b3cf6b075d5e157f37c2771deb29ae7756092fa8978209f77" }, { "id": "", "name": "1f8ec7a76f4486fdff94743275b2d65e1e4c871f7f933ed5c65c1dfca22909be" }, { "id": "", "name": "1a43da62d09a56f50e2797cffb77001027461a6b5ef0713c63d96c60bf8ecadd" }, { "id": "", "name": "17be6c8a4cf914056e5cb5d6a1d087069bd4c8d5a3ed104fefeace42c4fc6083" }, { "id": "", "name": "082a0596b474806cc0ea58c4f7067a4f1166dbb4aa1800bc58af6f99f1209a4a" }, { "id": "", "name": "038cbe87c4ddb39e7c7accc95d221950d96f2adb0649acaaea60258255c203a6" } ], "malware": [ { "id": "legacy:malware:66221e5ddd7df254", "name": "RobotDropper", "slug": "robotdropper" }, { "id": "legacy:malware:2eb9da8c85054d02", "name": "CurlyGate", "slug": "curlygate" }, { "id": "legacy:malware:b193652c05e1326e", "name": "LegionLoader", "slug": "legionloader" }, { "id": "legacy:malware:b874cf9cd0085058", "name": "Satacom", "slug": "satacom" } ], "intrusion_sets": [ { "id": "73c742dc-4f80-4855-805d-86cef3391c6b", "name": "LegionLoader", "slug": "legionloader" } ], "attack_patterns": [ { "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420", "name": "T1102.002" }, { "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7", "name": "T1573.002" }, { "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3", "name": "T1573.001" }, { "id": "0192fd78-09e3-4fe4-a9d3-38a7137e15fa", "name": "T1055.002" }, { "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc", "name": "T1204.001" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" } ], "others": [ { "id": "", "name": "Brazil" } ] }, "external_refs": [ "https://tehtris.com/en/blog/legionloader-exposed/", "https://otx.alienvault.com/pulse/67aa04f81eb91601c0afbef4" ] }