A newly identified loader campaign is raising serious concerns across the cybersecurity community.
Threat researchers have uncovered an active operation using a sophisticated multi-stage loader called OnionDrop, which is being used to deliver harmful payloads, including the well-known LegionLoader, to a broad range of victims at scale.
OnionDrop has been quietly operating since at least February 2026, with over 645 unique malicious DLL samples detected in just about 80 days.
The campaign was still active at the time of publication, making it a persistent and growing threat that defenders need to take seriously right now.
What makes this loader stand out is not just the payloads it delivers, but the extraordinary level of technical sophistication packed into the loader itself.
Analysts from Cyderes, through their Howler Cell Threat Research Team, published a detailed breakdown of OnionDrop, identifying it as the third documented component in a broader campaign they have tracked since the CGrabber Infostealer and Direct-sys Loader operations.
Cyderes said in a report shared with Cyber Security News (CSN) that the evasion architecture built into OnionDrop rivals, and in some areas exceeds, what is typically seen in purpose-built nation-state tooling.
What makes this campaign particularly dangerous is the loader’s payload-agnostic design. OnionDrop has been confirmed delivering LegionLoader (also tracked as CurlyGate), CGrabber Infostealer, and Vidar Stealer across different campaign waves.
This points to a highly organized, high-tempo threat actor running multiple infostealer operations simultaneously with no real signs of slowing down.
Security teams are encouraged to monitor for the known indicators of compromise tied to this campaign, block connections to the identified C2 domain, and ensure endpoint detection rules are updated to flag DLL sideloading behaviors involving Adobe-signed executables arriving inside ZIP archives.
OnionDrop Loader Campaign and gainmsg C2 Infrastructure
The attack chain begins with a ZIP archive containing a legitimate Adobe-signed executable, originally named AcroBroker.exe, alongside two malicious DLL files named sqlite.dll and codecstore384d.dll.
The archive also contains a 100MB decoy file named data.bin, filled with random bytes to artificially bloat the archive size and complicate analysis.
.webp)
Once the Adobe executable runs, it sideloads sqlite.dll, which then loads the primary malicious DLL.
From there, OnionDrop walks through four distinct unpacking stages: custom byte-pair decoding, Xpress Huffman decompression, AES-256-CBC decryption with rotating key material, and final shellcode execution through Thread Pool callback abuse via TpPostWork.
Each stage is engineered to defeat both automated sandboxes and manual analyst review.
.webp)
The final payload, LegionLoader, decrypts its embedded configuration using RC4 and reaches out to its command-and-control server at gainmsg[.]com/nfront[.]php. This C2 infrastructure serves as the backbone through which stolen data and further instructions flow.
.webp)
Researchers confirmed the same loader chain also delivered CGrabber Infostealer and Vidar Stealer in related campaign waves.
Nation-State-Grade Evasion in a Commoditized Loader
What separates OnionDrop from typical commodity loaders is the depth of its anti-analysis capabilities. The malware uses stack-string construction to hide sensitive function names, dynamically resolving them at runtime instead of storing them in readable form.
It also uses API hammering, a technique that floods sandbox traces with irrelevant API calls, making it much harder for automated systems to pinpoint actual malicious behavior.
.webp)
Before executing its core logic, OnionDrop checks the system’s display device name against a hardcoded list of valid GPU strings such as INTEL, AMD, RADEON, and NVIDIA.
If the system appears to be a virtual environment or sandbox with a non-standard display adapter, execution halts immediately. This level of environment awareness is typically associated with targeted attack frameworks, not broadly distributed malware.
The final shellcode stage uses a Donut-generated payload and executes through the Windows Thread Pool via TpAllocWork callback abuse, a technique that bypasses the standard thread-creation telemetry that most security tools rely on.
Rotating AES key material across execution stages adds further resistance against static analysis. Together, these techniques form a deeply engineered evasion stack that reflects clear and long-term operational investment from the threat actor behind this campaign.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL (C2) | hxxps[://]gainmsg[.]com/nfront[.]php | LegionLoader command-and-control endpoint |
| SHA256 | 8559e535128805f1e31fa7a15b33d25ae498915c7b88ea5142cf38858d551a53 | Initial malicious ZIP (1) |
| SHA256 | f09be48aab38dc85b7ad46efb98897617af66014ded44a7cf1bddaab59d9dad2 | Initial malicious ZIP (2) |
| SHA256 | 18bb95789e8727be0d98d9a5fce027f0f514e74192c7736b3afa297d2ee4a8fb | Malicious DLL module (1) |
| SHA256 | 070a97bf5bcba13c41266a79357e2a5b8d6f4e353db7427bd8ccabceee5c96e3 | Malicious DLL module (2) |
| SHA256 | 892f1bd9663c7e14855a0238e0fbb5b2396000b3396ceda79947374a3da78912 | OnionDrop Loader (1) |
| SHA256 | c9b96846c9a49ddbed9e143b098972e1d7880654f763bb504d2f7b5d2ab1dafb | OnionDrop Loader (2) |
| SHA256 | fb31df58549031f0ea24b250b214cbab9eafa39adaa715c675f328f7370904c7 | Final payload: CGrabber Infostealer |
| SHA256 | f6e5f7445b9ea717513a04d04acfa343025ca35302d025de33935e176a83f6ae | Final payload: LegionLoader (CurlyGate) |
| SHA256 | 0a8914b4f794ebc8ea1ce08dd4b5da918cd9697443007622100b0ba0731d428c | Final payload: Vidar Stealer |
| File Name | sqlite.dll | Malicious sideloaded DLL, initiates loader chain |
| File Name | codecstore384d.dll | Primary malicious DLL, executes OnionDrop logic |
| File Name | data.bin | Decoy binary used to inflate ZIP archive size |
| File Name | setup.exe / AcroBroker.exe | Legitimate Adobe-signed executable abused for DLL sideloading |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads appeared first on Cyber Security News.
