Thursday, April 24, 2025
Homecyber securityThreat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader

Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader

Published on

SIEM as a Service

Follow Us on Google News

In a sophisticated attack targeting individuals searching for PDF documents online, cybercriminals are using deceptive CAPTCHA mechanisms combined with Cloudflare’s Turnstile to distribute the LegionLoader malware.

According to Netskope Threat Labs, this campaign, which started in February 2025, has affected over 140 customers primarily in North America, Asia, and Southern Europe, with the technology and financial sectors being the most targeted.

The Deceptive CAPTCHA Scheme

The infection begins when a victim, looking for a specific PDF document, is directed to a malicious website.

- Advertisement - Google News

Here, they encounter a fake CAPTCHA, which, upon interaction, leads them through a sequence of misleading confirmations, including a secondary Cloudflare Turnstile CAPTCHA.

LegionLoader
Fake CAPTCHA in PDF

The attackers cleverly use these steps to install browser notification prompts, convincing users to enable notifications.

Those who comply are further manipulated into executing downloaded MSI files, believing they are accessing the PDF they initially sought.

Technical Execution

The attack utilizes a legitimate VMware-signed application named “Kilo Verfair Tools” to sideload a malicious DLL.

This DLL, disguised as an OpenSSL library, starts the payload execution by decoding a large chunk of data into shellcode and the LegionLoader payload.

The shellcode, after being deobfuscated via a custom algorithm, uses techniques like API Hammering for evasion.

This leads to the creation of an explorer.exe process through Process Hollowing, where the malicious payload is injected.

LegionLoader
Registered program name

Upon execution, the payload sets off a series of PowerShell scripts.

The initial script decodes and performs several deobfuscation steps to reveal URLs for downloading further payloads, which are encrypted using AES and executed to install a malicious browser extension.

This extension, masquerading as “Save to Google Drive,” targets various browsers like Chrome, Edge, and Opera, granting it permissions to access and steal sensitive information, including clipboard data, cookies, and browsing history.

Netskope Threat Labs has documented this chain of infection in detail, highlighting the attackers’ adept use of existing tools and platforms to bypass security measures.

By exploiting the trust users have in well-known services like Cloudflare’s Turnstile and the need for PDF documents, these threat actors manage to install a powerful information-stealing extension.

The analysis underscores the need for heightened awareness and robust security protocols to prevent such sophisticated phishing and malware attacks.

As Netskope continues its surveillance, further insights into these malicious activities are expected, aiding in the development of more effective defense mechanisms.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Blue Shield Exposed Health Data of 4.7 Million via Google Ads

Blue Shield of California has disclosed a significant data privacy incident affecting up to...

Microsoft Offers $30,000 Bounties for AI Security Flaws

Microsoft has launched a new bounty program that offers up to $30,000 to security...

The Human Firewall: Strengthening Your Weakest Security Link

Despite billions spent annually on cybersecurity technology, organizations continue to experience breaches with alarming...

WhatsApp Launches Advanced Privacy Tool to Secure Private Chats

WhatsApp, the world’s leading messaging platform, has unveiled a major privacy upgrade called "Advanced...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Blue Shield Exposed Health Data of 4.7 Million via Google Ads

Blue Shield of California has disclosed a significant data privacy incident affecting up to...

Microsoft Offers $30,000 Bounties for AI Security Flaws

Microsoft has launched a new bounty program that offers up to $30,000 to security...

The Human Firewall: Strengthening Your Weakest Security Link

Despite billions spent annually on cybersecurity technology, organizations continue to experience breaches with alarming...