In the cybersecurity realm, a newly identified loader campaign is generating significant concern. This campaign, leveraging a sophisticated multi-stage loader known as OnionDrop, is actively distributing harmful payloads such as the infamous LegionLoader to numerous targets.
Technical Sophistication and Persistent Threat
Since at least February 2026, OnionDrop has been operational, with more than 645 unique malicious DLL samples identified over approximately 80 days. As of the latest reports, this campaign remains active, posing a persistent threat that demands immediate defensive measures from security teams.
OnionDrop’s distinctiveness lies not only in its payload delivery but also in the remarkable technical sophistication embodied within the loader. Researchers at Cyderes, through their Howler Cell Threat Research Team, have documented OnionDrop as a critical component within a larger campaign framework, following previous operations like CGrabber Infostealer and Direct-sys Loader.
Advanced Evasion Techniques
The OnionDrop campaign’s danger is amplified by its payload-agnostic design, confirmed to be delivering multiple infostealers like LegionLoader (also known as CurlyGate), CGrabber, and Vidar Stealer. This reflects a highly organized threat actor capable of running parallel infostealer operations without losing momentum.
Security professionals are advised to monitor indicators of compromise linked to this campaign, prevent connections to the known C2 domain, and update endpoint detection rules to flag DLL sideloading activities involving Adobe-signed executables.
Unpacking the Attack Chain
The attack initiates with a ZIP archive containing an Adobe-signed executable, originally named AcroBroker.exe, alongside malicious DLLs named sqlite.dll and codecstore384d.dll. A decoy file named data.bin, filled with random bytes, is also included to increase the archive’s size and hinder analysis.
Upon execution of the Adobe file, it sideloads sqlite.dll, which proceeds to load the primary malicious DLL. OnionDrop then undergoes four unpacking stages, employing techniques like custom byte-pair decoding and AES-256-CBC decryption, engineered to thwart both automated and manual analysis.
The final payload, LegionLoader, decrypts its configuration using RC4 and communicates with its command-and-control server hosted on gainmsg[.]com/nfront[.]php, facilitating data exfiltration and command execution.
Implications and Future Considerations
OnionDrop’s anti-analysis measures distinguish it from standard commodity loaders. By employing methods such as stack-string construction and API hammering, OnionDrop obscures its malicious activities, complicating detection efforts. Additionally, it verifies the system’s GPU against a list of legitimate strings, halting execution in virtual or sandbox environments.
This campaign’s sophisticated evasion techniques, including the final shellcode execution via Windows Thread Pool callback abuse, underscore the long-term strategic investment by the threat actors. Security teams must remain vigilant and proactive in adapting to such evolving threats.
