Contact
OpenCTI Live Threat Report Feed

Evasive Campaign Pushing Legion Loader Malware

NetmanageIT OpenCTI - opencti.netmanageit.com

Daniel Bender

1 min read
Evasive Campaign Pushing Legion Loader Malware



SUMMARY :

A highly evasive web campaign is exploiting clipboard hijacking to trick users into running MSI files containing Legion Loader malware. The campaign employs multiple cloaking strategies, including captcha pages, disguised blog sites, and dynamic download URLs. The malicious script instructs victims to paste content into a Run window, which downloads and displays the MSI file. The campaign uses TDS traffic or affiliate links with short-lived parameters to lead victims to malicious download pages. When accessed without valid parameters, the URLs display benign content. The campaign's infrastructure includes 76 domains resolving to a single IP address, all disguised as blog sites.

OPENCTI LABELS :

cloaking,clipboard hijacking,affiliate links,pastejacking


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Evasive Campaign Pushing Legion Loader Malware