216.73.216.78

New Evasive Campaign Delivers LegionLoader via Fake CAPTCHA & CloudFlare Turnstile

· Published 05/04/2025 07:55 · Modified 07/04/2025 08:35

Export JSON

Essential information

Published
05/04/2025 07:55
Modified
07/04/2025 08:35
Tags
2025-04-05 browser extension captcha cloudflare turnstile drive-by-download legionloader phishing process-hollowing
Related entities
5 observables, 11 techniques (mitre), 1 malware, 3 others

Description

A new malicious campaign has been discovered targeting users searching for PDF documents online. The attack uses fake CAPTCHAs and to deliver malware, which then installs a malicious . The infection chain involves a drive-by download, execution of a VMware-signed application that sideloads a malicious DLL, and use of process hollowing to inject the payload. The , disguised as 'Save to Google Drive', is installed on Chrome, Edge, Brave and Opera browsers to steal sensitive user data and monitor Bitcoin activities. The campaign has affected over 140 customers, primarily in North America, Asia and Southern Europe, with technology and financial services sectors being the most targeted.

External references