Monday, May 19, 2025
Homecyber securityThreat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader

Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader

Published on

SIEM as a Service

Follow Us on Google News

In a sophisticated attack targeting individuals searching for PDF documents online, cybercriminals are using deceptive CAPTCHA mechanisms combined with Cloudflare’s Turnstile to distribute the LegionLoader malware.

According to Netskope Threat Labs, this campaign, which started in February 2025, has affected over 140 customers primarily in North America, Asia, and Southern Europe, with the technology and financial sectors being the most targeted.

The Deceptive CAPTCHA Scheme

The infection begins when a victim, looking for a specific PDF document, is directed to a malicious website.

- Advertisement - Google News

Here, they encounter a fake CAPTCHA, which, upon interaction, leads them through a sequence of misleading confirmations, including a secondary Cloudflare Turnstile CAPTCHA.

LegionLoader
Fake CAPTCHA in PDF

The attackers cleverly use these steps to install browser notification prompts, convincing users to enable notifications.

Those who comply are further manipulated into executing downloaded MSI files, believing they are accessing the PDF they initially sought.

Technical Execution

The attack utilizes a legitimate VMware-signed application named “Kilo Verfair Tools” to sideload a malicious DLL.

This DLL, disguised as an OpenSSL library, starts the payload execution by decoding a large chunk of data into shellcode and the LegionLoader payload.

The shellcode, after being deobfuscated via a custom algorithm, uses techniques like API Hammering for evasion.

This leads to the creation of an explorer.exe process through Process Hollowing, where the malicious payload is injected.

LegionLoader
Registered program name

Upon execution, the payload sets off a series of PowerShell scripts.

The initial script decodes and performs several deobfuscation steps to reveal URLs for downloading further payloads, which are encrypted using AES and executed to install a malicious browser extension.

This extension, masquerading as “Save to Google Drive,” targets various browsers like Chrome, Edge, and Opera, granting it permissions to access and steal sensitive information, including clipboard data, cookies, and browsing history.

Netskope Threat Labs has documented this chain of infection in detail, highlighting the attackers’ adept use of existing tools and platforms to bypass security measures.

By exploiting the trust users have in well-known services like Cloudflare’s Turnstile and the need for PDF documents, these threat actors manage to install a powerful information-stealing extension.

The analysis underscores the need for heightened awareness and robust security protocols to prevent such sophisticated phishing and malware attacks.

As Netskope continues its surveillance, further insights into these malicious activities are expected, aiding in the development of more effective defense mechanisms.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems

Cybersecurity researchers have unearthed a sophisticated attack leveraging AutoIT, a long-standing scripting language known...

New Report Finds 67% of Organizations Experienced Cyber Attacks in the Last Year

A disturbing 67% of businesses in eight worldwide markets—the US, UK, Spain, the Netherlands,...

Auth0-PHP Vulnerability Enables Unauthorized Access for Attackers

Critical security vulnerability has been discovered in the Auth0-PHP SDK that could potentially allow...

Active Exploitation of Ivanti EPMM Zero-Day Vulnerability in the Wild

Security researchers at The Shadowserver Foundation have identified active exploitation attempts targeting a critical...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems

Cybersecurity researchers have unearthed a sophisticated attack leveraging AutoIT, a long-standing scripting language known...

New Report Finds 67% of Organizations Experienced Cyber Attacks in the Last Year

A disturbing 67% of businesses in eight worldwide markets—the US, UK, Spain, the Netherlands,...

Auth0-PHP Vulnerability Enables Unauthorized Access for Attackers

Critical security vulnerability has been discovered in the Auth0-PHP SDK that could potentially allow...