Thursday, May 15, 2025
HomeMalwareDropper-for-Hire - Hackers Using a Single Malware to Drop 6 Different Malware...

Dropper-for-Hire – Hackers Using a Single Malware to Drop 6 Different Malware in Targeted Systems

Published on

SIEM as a Service

Follow Us on Google News

Researchers observed a new malware campaign under a dropper-for-hire method that drops 6 different malware to attack the targeted victims and perform a variety of malicious activities.

Nowadays malware authors collaborative with other threat actors to develop sophisticated malware become increasingly common.

In this case, dropper and the campaign it is associated with revealed involves multiple types of malware, and it is referred as a “Hornet’s Nest”.

- Advertisement - Google News

The malware campaign includes multiple types of info-stealers, backdoors, a file-less crypto-currency stealer built into the dropper, and occasionally a crypto-miner as well. 

Legion Loader

Researchers observed the dropper with the name of “Legion Loader” through various network intrusion and emerging-threats rule-sets.

Malware author-written Legion loader in MS Visual C++ 8 and is believed to be written by Russian speaking developer.

Legion loader developed with a variety of features including VM/Sandbox (VMware, VBOX, etc.) and research-tool evasions (Common debuggers, SysInternals utilities,Wireshark, PETools, etc.), in many cases it lacks string obfuscation which allows for fairly straightforward analysis. Deep instinct said via a blog post.

Once the Legion Loader dropped and running in the targeted system, it connects to the command & control server for further command and it terminates itself if it will not receive any expected response.

Upon the successful connection, it will proceed to download and execute 2-3 hard-coded payloads from C2 server.

Legion Loader targeted at both the United States and Europe, is intended to deliver 2-3 additional malware executables and features a built-in file-less crypto-currency stealer and browser-credential harvester.

“Legion Loader is, as mentioned above, very aptly named; and is a classic case-in-point of how even a relatively low-sophistication malware can become a security nightmare for an organization, employing more advanced file-less techniques and delivering a myriad of follow-up malware ranging for info-stealers and credential harvesters to crypto-miners and backdoors.” Researchers said.

You can find the complete Indicators of Compromise here.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Coinbase Data Breach – Customers Personal Info, Government‑ID & Transaction Data Exposed

Coinbase, the largest cryptocurrency exchange in the United States, has disclosed a significant cybersecurity...

Inside Turla’s Uroboros Infrastructure and Tactics Revealed

In a nation-state cyber espionage, a recent static analysis of the Uroboros rootkit, attributed...

CISA Alerts on Five Active Zero-Day Windows Vulnerabilities Being Exploited

Cybersecurity professionals and network defenders, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has...

Intruder vs. Acunetix vs. Attaxion: Comparing Vulnerability Management Solutions

The vulnerability management market is projected to reach US$24.08 billion by 2030, with numerous...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Exploit Open Source Packages to Deploy Malware in Supply Chain Attacks

The Socket Threat Research Team has uncovered a surge in supply chain attacks where...

Xanthorox Emerging BlackHat AI Tool Empowering Hackers in Phishing and Malware Campaigns

Artificial intelligence platform named Xanthorox has emerged as a potent new tool for cybercriminals,...

Weaponized Google Calendar Invites Deliver Malicious Payload Using a Single Character

Security researchers have unearthed a sophisticated malware distribution method leveraging Google Calendar invites to...