Malware campaign attacks users via fake CAPTCHAs
The hackers have attacked over 140 Netskope customers situated in Asia, North America, and Southern Europe throughout different segments, driven by the financial and tech sectors.
Netskope has been examining different phishing and malware campaigns targeting users who look for PDF documents online. Hackers use tricky ways within these PDFs to resend victims to malicious websites or lure them into downloading malware. In the newly found campaign, they used fake CAPTCHAs and Cloudflare Turnstile to distribute the LegionLoader payload.
Important stages in the attack chain
The infection begins with a drive-by download when a target looks for a particular document and is baited to a malicious site.
The downloaded file contains a fake CAPTCHA. If clicked, it redirects the user via a Clloudfare Turnstile CAPTCHA to a notification page.
In the last step, victims are urged to allow browser notifications.