
TRAC Labs has released an in-depth report on LegionLoader, a sophisticated downloader malware that has evolved significantly since its initial appearance in 2019. The malware, also tracked as Satacom, RobotDropper, and CurlyGate, demonstrates a wide range of capabilities that make it a potent threat in the cybersecurity landscape.
LegionLoader is primarily written in C/C++ and has been observed deploying an array of malicious tools, including Chrome extensions like CursedChrome. These extensions can transform compromised browsers into HTTP proxies, enabling attackers to browse the web authenticated as the victim. TRAC Labs highlighted that the malware can “capture screenshots of the visible tab in Chrome and manage requests to access and update balances for Facebook, Coinbase, and Google Pay accounts.”
Since August 2024, LegionLoader has been distributing advanced information stealers like LummaC2, Rhadamanthys, and StealC. The malware spreads through drive-by downloads, where unsuspecting users are tricked into downloading fake installers that deliver payloads via platforms such as RapidShare and MEGA.
LegionLoader employs multiple layers of encryption and obfuscation to evade detection. As noted in the analysis, “The RC4 key is generated based on the calculations of the immediate constants and the registry key value.” This key decrypts the malware’s payload, which is then injected into legitimate processes like explorer.exe using the process hollowing technique.
The malware’s configuration is highly customizable, enabling it to deliver payloads tailored to the attacker’s needs. TRAC Labs observed the loader using the Mersenne Twister algorithm to generate random filenames for its payloads, which are encrypted and stored in temporary directories before execution.
LegionLoader’s payloads target financial accounts and sensitive user data. Its malicious Chrome extensions can alter email content, withdraw cryptocurrency funds, and collect system information. LegionLoader retrieves decryption keys for Chrome credentials and other sensitive data from the User Data folder, enabling attackers to steal stored passwords and session cookies.
The report highlights LegionLoader’s ability to evade detection through API hammering, a technique that rapidly executes numerous legitimate API calls to confuse security tools and analysts. Additionally, the malware uses encrypted communication with its command-and-control (C2) servers, often leveraging hardcoded addresses or dynamically retrieved domains.

TRAC Labs has published a comprehensive list of indicators of compromise (IOCs) to aid defenders in identifying and mitigating LegionLoader infections.
Related Posts:
- WikiKit Phishing Kit Targets Major Industries with Evasive Techniques
- IZ1H9: The New Face of Mirai Botnet Threatening Linux Servers
- Google Translate desktop app includes malware
- Hacker group Anonymous controls over 400 Russian cameras