Researchers at TEHTRIS Threat Intelligence have uncovered a new wave of LegionLoader, a malware downloader also known as Satacom, CurlyGate, and RobotDropper. This sophisticated threat has been rapidly gaining momentum, with over 2,000 samples identified in recent weeks.
According to TEHTRIS, the ongoing campaign began on December 19, 2024, and has since spread globally, with Brazil emerging as the most affected country, accounting for around 10% of reported cases.
LegionLoader primarily infects systems through drive-by downloads, where users unknowingly download malicious software from compromised websites.
Cybercriminals behind this campaign frequently leverage illegal download platforms and unsecured web pages, which are quickly taken down after redirecting victims to Mega cloud storage links containing a single ZIP file. These ZIP archives house a 7-Zip password-protected file, making it difficult for security tools to scan the contents.
To further deceive users, a separate image file displays the password required for extraction, enticing them to execute the malware.
Once extracted, LegionLoader is deployed as an MSI (Microsoft Installer) file, requiring user interaction to execute. TEHTRIS researchers found that antivirus detection rates for these MSI files range between 3 and 9 out of 60, indicating the malware’s ability to evade traditional security measures.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: