New Evasive Campaign Delivers LegionLoader via Fake CAPTCHA & CloudFlare Turnstile

Description

A new malicious campaign has been discovered targeting users searching for PDF documents online. The attack uses fake CAPTCHAs and CloudFlare Turnstile to deliver LegionLoader malware, which then installs a malicious browser extension. The infection chain involves a drive-by download, execution of a VMware-signed application that sideloads a malicious DLL, and use of process hollowing to inject the LegionLoader payload. The browser extension, disguised as 'Save to Google Drive', is installed on Chrome, Edge, Brave and Opera browsers to steal sensitive user data and monitor Bitcoin activities. The campaign has affected over 140 customers, primarily in North America, Asia and Southern Europe, with technology and financial services sectors being the most targeted.