LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader malware that has gained significant traction recently, amassing over 2,000 samples in weeks. The campaign appears to have started on December 19, 2024, with Brazil being the most affected country. The malware is delivered through drive-by downloads from insecure websites, often using the .monster TLD for malicious redirections. It employs anti-sandbox techniques and uses a multi-stage infection process. The initial MSI file extracts and executes a malicious DLL, which then downloads and executes a second stage payload. The final payload communicates with command and control servers to potentially download additional malware. Author: AlienVault
Related Tags:
CurlyGate
Satacom
anti-sandbox
robotdropper
LegionLoader
T1102.002
T1055.002
drive-by download
multi-stage
Associated Indicators:
A6B5759A273FD6DF4DCB0F5C82935B4B60A6F28BFB4D69B6C7C503C8614C39D0
F4F4DD8A1FCA44D6D7C78DA7DC5741B91250EABF8FAAE79604C786672EA2EFB8
4707B17284E0BDBB92D915E66A8FE4DFF18441C958A5230C786D5AF6FA05B4BD
3938E304DDB11DC02B514E10DAA2810BC91FD963E007F5BFBA789846E08C6B8E
1A43DA62D09A56F50E2797CFFB77001027461A6B5EF0713C63D96C60BF8ECADD
76CBE366EA370235DFEA2D72378F9D946E49370B4C7BAC58E99073E117062E1F
F1064A9546766A69B2DF901A0D9DF31D31B01C6507CF614EF3AB73F5869AF524
038CBE87C4DDB39E7C7ACCC95D221950D96F2ADB0649ACAAEA60258255C203A6
23F064DF01EE9EEDF9E1341185505B86148873CCC0A922C64BB085CEB5B091FC