A newly identified loader campaign is raising serious concerns across the cybersecurity community.
Threat researchers have uncovered an active operation using a sophisticated multi-stage loader called OnionDrop, which is being used to deliver harmful payloads, including the well-known LegionLoader, to a broad range of victims at scale.
OnionDrop has been quietly operating since at least February 2026, with over 645 unique malicious DLL samples detected in just about 80 days.
The campaign was still active at the time of publication, making it a persistent and growing threat that defenders need to take seriously right now.
What makes this loader stand out is not just the payloads it delivers, but the extraordinary level of technical sophistication packed into the loader itself.
Analysts from Cyderes, through their Howler Cell Threat Research Team, published a detailed breakdown of OnionDrop, identifying it as the third documented component in a broader campaign they have tracked since the CGrabber Infostealer and Direct-sys Loader operations.
Cyderes said in a report shared with Cyber Security News (CSN) that the evasion architecture built into OnionDrop rivals, and in some areas exceeds, what is typically seen in purpose-built nation-state tooling.
What makes this campaign particularly dangerous is the loader’s payload-agnostic design. OnionDrop has been confirmed delivering LegionLoader (also tracked as CurlyGate), CGrabber Infostealer, and Vidar Stealer across different campaign waves.
This points to a highly organized, high-tempo threat actor running multiple infostealer operations simultaneously with no real signs of slowing down.
Security teams are encouraged to monitor for the known indicators of compromise tied to this campaign, block connections to the identified C2 domain, and ensure endpoint detection rules are updated to flag DLL sideloading behaviors involving Adobe-signed executables arriving inside ZIP archives.
OnionDrop Loader Campaign and gainmsg C2 Infrastructure
The attack chain begins with a ZIP archive containing a legitimate Adobe-signed executable, originally named AcroBroker.exe, alongside two malicious DLL files named sqlite.dll and codecstore384d.dll.
The archive also contains a 100MB decoy file named data.bin, filled with random bytes to artificially bloat the archive size and complicate analysis.
Overview of files within the malicious archive (Source – Cyderes)
Once the Adobe executable runs, it sideloads sqlite.dll, which then loads the primary malicious DLL.
From there, OnionDrop walks through four distinct unpacking stages: custom byte-pair decoding, Xpress Huffman decompression, AES-256-CBC decryption with rotating key material, and final shellcode execution through Thread Pool callback abuse via TpPostWork.
Each stage is engineered to defeat both automated sandboxes and manual analyst review.
Dynamically loading a malicious DLL via sqlite.dll (Source – Cyderes)
The final payload, LegionLoader, decrypts its embedded configuration using RC4 and reaches out to its command-and-control server at gainmsg[.]com/nfront[.]php. This C2 infrastructure serves as the backbone through which stolen data and further instructions flow.
Attack chain (Source – Cyderes)
Researchers confirmed the same loader chain also delivered CGrabber Infostealer and Vidar Stealer in related campaign waves.
Nation-State-Grade Evasion in a Commoditized Loader
What separates OnionDrop from typical commodity loaders is the depth of its anti-analysis capabilities. The malware uses stack-string construction to hide sensitive function names, dynamically resolving them at runtime instead of storing them in readable form.
It also uses API hammering, a technique that floods sandbox traces with irrelevant API calls, making it much harder for automated systems to pinpoint actual malicious behavior.
LegionLoader C2 connection (Source – Cyderes)
Before executing its core logic, OnionDrop checks the system’s display device name against a hardcoded list of valid GPU strings such as INTEL, AMD, RADEON, and NVIDIA.
If the system appears to be a virtual environment or sandbox with a non-standard display adapter, execution halts immediately. This level of environment awareness is typically associated with targeted attack frameworks, not broadly distributed malware.
The final shellcode stage uses a Donut-generated payload and executes through the Windows Thread Pool via TpAllocWork callback abuse, a technique that bypasses the standard thread-creation telemetry that most security tools rely on.
Rotating AES key material across execution stages adds further resistance against static analysis. Together, these techniques form a deeply engineered evasion stack that reflects clear and long-term operational investment from the threat actor behind this campaign.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionURL (C2)hxxps[://]gainmsg[.]com/nfront[.]phpLegionLoader command-and-control endpointSHA2568559e535128805f1e31fa7a15b33d25ae498915c7b88ea5142cf38858d551a53Initial malicious ZIP (1)SHA256f09be48aab38dc85b7ad46efb98897617af66014ded44a7cf1bddaab59d9dad2Initial malicious ZIP (2)SHA25618bb95789e8727be0d98d9a5fce027f0f514e74192c7736b3afa297d2ee4a8fbMalicious DLL module (1)SHA256070a97bf5bcba13c41266a79357e2a5b8d6f4e353db7427bd8ccabceee5c96e3Malicious DLL module (2)SHA256892f1bd9663c7e14855a0238e0fbb5b2396000b3396ceda79947374a3da78912OnionDrop Loader (1)SHA256c9b96846c9a49ddbed9e143b098972e1d7880654f763bb504d2f7b5d2ab1dafbOnionDrop Loader (2)SHA256fb31df58549031f0ea24b250b214cbab9eafa39adaa715c675f328f7370904c7Final payload: CGrabber InfostealerSHA256f6e5f7445b9ea717513a04d04acfa343025ca35302d025de33935e176a83f6aeFinal payload: LegionLoader (CurlyGate)SHA2560a8914b4f794ebc8ea1ce08dd4b5da918cd9697443007622100b0ba0731d428cFinal payload: Vidar StealerFile Namesqlite.dllMalicious sideloaded DLL, initiates loader chainFile Namecodecstore384d.dllPrimary malicious DLL, executes OnionDrop logicFile Namedata.binDecoy binary used to inflate ZIP archive sizeFile Namesetup.exe / AcroBroker.exeLegitimate Adobe-signed executable abused for DLL sideloading
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads appeared first on Cyber Security News.
