Dissecting OnionDrop: Commoditized Loader with Nation-State-Grade Evasion

    Friday, June 12, 2026 In: Threat Research Print

    Date: 06/12/2026

    Severity: High

    Summary

    OnionDrop is a sophisticated multi-stage malware loader designed to deliver InfoStealers such as LegionLoader (CurlyGate), CGrabber, and Vidar Stealer at scale. The loader employs advanced evasion techniques, including DLL sideloading, layered decoding and decryption, dynamic API resolution, anti-analysis mechanisms, and shellcode execution through Windows Thread Pool callbacks, making detection and analysis highly challenging. Despite being used in commodity malware campaigns, OnionDrop demonstrates a level of stealth and engineering comparable to advanced threat operations, enabling large-scale deployment of credential-stealing payloads. 

    Indicators of Compromise (IOC) List

    Domains/URLs:

    https://gainmsg.com/nfront.php

    Hash : 

    8559e535128805f1e31fa7a15b33d25ae498915c7b88ea5142cf38858d551a53

    f09be48aab38dc85b7ad46efb98897617af66014ded44a7cf1bddaab59d9dad2

    18bb95789e8727be0d98d9a5fce027f0f514e74192c7736b3afa297d2ee4a8fb

    070a97bf5bcba13c41266a79357e2a5b8d6f4e353db7427bd8ccabceee5c96e3

    892f1bd9663c7e14855a0238e0fbb5b2396000b3396ceda79947374a3da78912

    c9b96846c9a49ddbed9e143b098972e1d7880654f763bb504d2f7b5d2ab1dafb

    fb31df58549031f0ea24b250b214cbab9eafa39adaa715c675f328f7370904c7

    f6e5f7445b9ea717513a04d04acfa343025ca35302d025de33935e176a83f6ae

    0a8914b4f794ebc8ea1ce08dd4b5da918cd9697443007622100b0ba0731d428c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://gainmsg.com/nfront.php" or url like "https://gainmsg.com/nfront.php" or siteurl like "https://gainmsg.com/nfront.php"

    Detection Query 2 :

    sha256hash IN ("070a97bf5bcba13c41266a79357e2a5b8d6f4e353db7427bd8ccabceee5c96e3","c9b96846c9a49ddbed9e143b098972e1d7880654f763bb504d2f7b5d2ab1dafb","f09be48aab38dc85b7ad46efb98897617af66014ded44a7cf1bddaab59d9dad2","18bb95789e8727be0d98d9a5fce027f0f514e74192c7736b3afa297d2ee4a8fb","f6e5f7445b9ea717513a04d04acfa343025ca35302d025de33935e176a83f6ae","8559e535128805f1e31fa7a15b33d25ae498915c7b88ea5142cf38858d551a53","892f1bd9663c7e14855a0238e0fbb5b2396000b3396ceda79947374a3da78912","fb31df58549031f0ea24b250b214cbab9eafa39adaa715c675f328f7370904c7","0a8914b4f794ebc8ea1ce08dd4b5da918cd9697443007622100b0ba0731d428c")

    Reference:  

    https://www.cyderes.com/howler-cell/oniondrop-malware-analysis 


    Tags

    MalwareDLLSideLoadingShellcodeInfostealerVidarLoadersCredentialTheft

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.