The threat actors are leveraging fake CAPTCHAs and CloudFlare Turnstile to distribute the LegionLoader malware, ultimately leading to the installation of a malicious browser extension designed to steal sensitive user data.
Netskope Threat Labs has been tracking this campaign since February 2025, revealing a complex infection chain that targets individuals searching for PDF documents online.
The attack begins when victims, lured by search engine results, open a PDF document that contains a fake CAPTCHA.
.png
)
Upon clicking the CAPTCHA, users are redirected through a series of steps involving Cloudflare Turnstile CAPTCHAs and browser notification requests.
If the victim consents to receive notifications, they are further directed to download what appears to be the document they were seeking. However, this process is a ruse to execute a command that downloads an MSI installer.
The MSI file, when executed, registers an application named “Kilo Verfair Tools” which includes several custom actions. One of these actions launches SumatraPDF, a legitimate document viewer, to maintain the illusion of document viewing.
However, the real purpose is to execute a batch script named “logd.bat” which extracts DLLs from an archive and runs a file signed with a VMWare certificate, initiating the malware infection.
Fake CAPTCHAs and CloudFlare Turnstile
The malicious DLL, disguised as a legitimate OpenSSL library, decodes and executes the LegionLoader payload. This payload uses a custom algorithm to deobfuscate shellcode, employing techniques like API Hammering to evade detection.
The shellcode then decrypts and loads the final payload into a newly created “explorer.exe” process using Process Hollowing.
Once the LegionLoader is active, it downloads and executes a PowerShell script. This script undergoes multiple layers of deobfuscation, including Base64 decoding and XOR decryption, to retrieve and execute another payload.
This second stage involves further obfuscation and decryption, ultimately leading to the installation of a malicious browser extension.
The extension, named “Save to Google Drive,” mimics a legitimate Google service but is designed to steal sensitive information.
It targets multiple browsers like Google Chrome, Microsoft Edge, Brave, and Opera, granting itself extensive permissions to access user data, including cookies, browsing history, and even monitoring Bitcoin activities. This data is then exfiltrated to the attackers.
Netskope Threat Labs has identified several indicators of this campaign, including the use of fake CAPTCHAs, Cloudflare Turnstile, and the distribution of MSI files that lead to the installation of LegionLoader.
They have reported the malicious URLs to various web hosting services and have provided proactive coverage against this threat through their Advanced Threat Protection.
This campaign underscores the evolving tactics of cybercriminals who exploit everyday online activities like document searches to distribute malware.
Users are advised to be cautious with CAPTCHAs and browser notifications, especially when downloading files from unknown sources.
Netskope continues to monitor these threats, emphasizing the importance of robust cybersecurity measures to protect against such sophisticated attacks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
