In a sophisticated attack targeting individuals searching for PDF documents online, cybercriminals are using deceptive CAPTCHA mechanisms combined with Cloudflare’s Turnstile to distribute the LegionLoader malware.
According to Netskope Threat Labs, this campaign, which started in February 2025, has affected over 140 customers primarily in North America, Asia, and Southern Europe, with the technology and financial sectors being the most targeted.
The Deceptive CAPTCHA Scheme
The infection begins when a victim, looking for a specific PDF document, is directed to a malicious website.
.png
)
Here, they encounter a fake CAPTCHA, which, upon interaction, leads them through a sequence of misleading confirmations, including a secondary Cloudflare Turnstile CAPTCHA.
The attackers cleverly use these steps to install browser notification prompts, convincing users to enable notifications.
Those who comply are further manipulated into executing downloaded MSI files, believing they are accessing the PDF they initially sought.
Technical Execution
The attack utilizes a legitimate VMware-signed application named “Kilo Verfair Tools” to sideload a malicious DLL.
This DLL, disguised as an OpenSSL library, starts the payload execution by decoding a large chunk of data into shellcode and the LegionLoader payload.
The shellcode, after being deobfuscated via a custom algorithm, uses techniques like API Hammering for evasion.
This leads to the creation of an explorer.exe process through Process Hollowing, where the malicious payload is injected.
Upon execution, the payload sets off a series of PowerShell scripts.
The initial script decodes and performs several deobfuscation steps to reveal URLs for downloading further payloads, which are encrypted using AES and executed to install a malicious browser extension.
This extension, masquerading as “Save to Google Drive,” targets various browsers like Chrome, Edge, and Opera, granting it permissions to access and steal sensitive information, including clipboard data, cookies, and browsing history.
Netskope Threat Labs has documented this chain of infection in detail, highlighting the attackers’ adept use of existing tools and platforms to bypass security measures.
By exploiting the trust users have in well-known services like Cloudflare’s Turnstile and the need for PDF documents, these threat actors manage to install a powerful information-stealing extension.
The analysis underscores the need for heightened awareness and robust security protocols to prevent such sophisticated phishing and malware attacks.
As Netskope continues its surveillance, further insights into these malicious activities are expected, aiding in the development of more effective defense mechanisms.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
