The threat actors are leveraging fake CAPTCHAs and CloudFlare Turnstile to distribute the LegionLoader malware, ultimately leading to the installation of a malicious browser extension designed to steal sensitive user data. Netskope Threat Labs has identified several indicators of this campaign, including the use of fake CAPTCHAs, Cloudflare Turnstile, and the distribution of MSI files that lead to the installation of LegionLoader. However, the real purpose is to execute a batch script named “logd.bat” which extracts DLLs from an archive and runs a file signed with a VMWare certificate, initiating the malware infection. It targets multiple browsers like Google Chrome, Microsoft Edge, Brave, and Opera, granting itself extensive permissions to access user data, including cookies, browsing history, and even monitoring Bitcoin activities. Netskope Threat Labs has been tracking this campaign since February 2025, revealing a complex infection chain that targets individuals searching for PDF documents online.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 07 Apr 2025 13:10:07 +0000