Evasive Campaign Pushing Legion Loader Malware
April 11, 2025, 10:25 a.m.
Description
A highly evasive web campaign is exploiting clipboard hijacking to trick users into running MSI files containing Legion Loader malware. The campaign employs multiple cloaking strategies, including captcha pages, disguised blog sites, and dynamic download URLs. The malicious script instructs victims to paste content into a Run window, which downloads and displays the MSI file. The campaign uses TDS traffic or affiliate links with short-lived parameters to lead victims to malicious download pages. When accessed without valid parameters, the URLs display benign content. The campaign's infrastructure includes 76 domains resolving to a single IP address, all disguised as blog sites.
Tags
Date
- Created: April 11, 2025, 9:01 a.m.
- Published: April 11, 2025, 9:01 a.m.
- Modified: April 11, 2025, 10:25 a.m.
Indicators
- eef55d89a46dd43a2bd72852a5bd2929458da58f293e65f951a1d17c3a784440
- 21df75dccea2946c1a28d9c46e722cdeaee00482a57bca9286cda59b172b2d9b
- http://yubit.co.za/YmrXLWy8?keyword=mahatma%20gandhi%20biography%20pdf%20download
- http://yoyep.co.za/YmrXLWy8?keyword=binomial%20theorem%20solution%20pdf%20worksheets%20answers%20answer/
- http://tevav.co.za/YmrXLWy8?keyword=camera%20canon%20powershot%20sx20is%20%C3%A9%20boa
- http://norin.co.za/YmrXLWy8?keyword=bobbi%20brown%20makeup%20artist%20training
- http://loheb.co.za/YmrXLWy8?keyword=paulo%20freire%20the%20banking%20concept%20of%20education%20analysis
- http://lovig.co.za/YmrXLWy8?keyword=modelo%20de%20memor%C3%A1ndum%20de%20llamada%20de%20atenci%C3%B3n%20por%20tardanza
- http://ggtraff.ru/wb?keyword=spill%20guts%20meaning%20in%20urdu
- http://gettraff.ru/wb?keyword=moneygram%20appleton%20wi
- http://fecuq.co.za/YmrXLWy8?keyword=%C3%A1lgebra%20y%20trigonometr%C3%ADa%20con%20geometr%C3%ADa%20anal%C3%ADtica%20ejercicios%20resueltos
- http://fecuq.co.za/YmrXLWy8?keyword=wilderness%20and%20the%20american%20mind%20chapter%20summaries
- http://colod.co.za/YmrXLWy8?keyword=how%20much%20is%20a%2020%20inch%20tv%20at%20walmart
- yoyep.co.za
- yubit.co.za
- webfilelinkallez.com
- webfile-link-all-easy.com
- yourdownloadbest.com
- upgradeupload.com
- themoreuploadllc.com
- thefile-share-every-fun.com
- thebetterfileupload.com
- tevav.co.za
- tappa-liter.com
- slud2mill.com
- sendfilelinkalleasy.com
- seid-incaic-mayda.com
- realmoreupload.com
- realfileshareallfun24.com
- realfilemindshareeveryfun.com
- realfilepartallfun.com
- realfilemindparteveryfun.com
- realfile-share-every-fun.com
- realcreditfileparteveryfun.com
- premiumknowledgegood24.com
- premiumexperiencegood.com
- pahmi-argyll-shivey.com
- norin.co.za
- mnem2ptt4brr-cats.com
- lovig.co.za
- loheb.co.za
- leto2nazi-glee.com
- infoaccessnetwork.com
- hine-crull-cared-exiler.com
- hell4rec.com
- greatknowledgegood24.com
- globalgreatexperiencegood.com
- great-experience-good24.com
- globalfileshareeveryfun24.com
- globalfileshareeveryfun.com
- globalfile-link-all-easy.com
- ggtraff.ru
- gettraff.ru
- fundus-dung-hause-tellee.com
- filelinkallezcompany.com
- fileshareallfun24.com
- fileparteveryfun24.com
- fileaccessnow.com
- fileaccessnetworksecurity.com
- fileaccessibilitynetwork.com
- file-share-every-fun.com
- fileaccesschannel.com
- file-link-all-simpleshop.com
- file-link-all-easy.com
- fecuq.co.za
- file-autolink-all-easy.com
- duad-tess-piki.com
- ecb4teg4sepd4bunt.com
- doup2dalf4if4shou.com
- creditfilechainalleasycompany.com
- creditfilechainallsimple.com
- creditfileparteveryfun.com
- creditfileaccessnetworkshop.com
- creditfile-share-every-fun.com
- colod.co.za
- carien-shafii.com
- cannel-hubshi-tock-perit.com
- byrls-unfar-tankka.com
- best-knowledge-top.com
- best-knowledge-good24.com
- berapt-medii.com
- alae-bema4om-ef.com
- ated-troy.com