Intel Name: Evasive campaign pushing legion loader malware
Date of Scan: April 4, 2025
Impact: High
Summary: A stealthy web campaign is hijacking users’ clipboards to trick them into executing MSI files tied to Legion Loader malware. These MSI files are disguised as “Klio Verfair Tools,” a known alias for Legion Loader. The technique, known as “pastejacking” or “clipboard hijacking,” instructs users to paste malicious content into the Run window. The campaign evades detection through layered cloaking tactics, including Turnstile/captcha gates, disguised blog-like download pages, unique URLs per infection, and non-functional links outside the intended infection flow.
