OnionDrop Loader Uses gainmsg C2 to Deliver LegionLoader, CGrabber, and Vidar Payloads
9 min. read 
Published on
A new OnionDrop loader campaign is delivering infostealer and downloader payloads through a multi-stage DLL sideloading chain. The campaign has been linked to LegionLoader, also known as CurlyGate, as well as CGrabber Infostealer and Vidar Stealer.
Researchers say OnionDrop has been active since at least February 2026 and has produced more than 645 unique malicious DLL samples in roughly 80 days. A Cyderes Howler Cell post says the campaign remained active while serving multiple infostealer operations at once.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The campaign matters because OnionDrop is not a simple loader. It uses a legitimate Adobe-signed executable, malicious DLL sideloading, layered decoding, compression, encryption, anti-analysis checks, and in-memory payload execution to make detection harder.
OnionDrop starts with an Adobe-signed executable and malicious DLLs
The infection chain begins with a ZIP archive that contains a legitimate Adobe-signed executable, originally named AcroBroker.exe, alongside malicious DLL files named sqlite.dll and codecstore384d.dll. The archive also includes a large decoy file named data.bin to increase the archive size and complicate automated inspection.
When the executable runs, it loads sqlite.dll from the same folder. That DLL then loads the main malicious module, which starts OnionDrop’s unpacking chain. This technique abuses normal Windows DLL loading behavior rather than relying on a traditional exploit.
The HijackLibs entry for sqlite.dll specifically lists Adobe’s AcroBroker.exe as an executable that can load sqlite.dll from a user-writable folder, making it useful for defensive hunting.
| File or component | Role in the campaign |
|---|---|
| AcroBroker.exe | Legitimate Adobe-signed executable abused for DLL sideloading |
| sqlite.dll | Malicious sideloaded DLL that starts the loader chain |
| codecstore384d.dll | Primary malicious DLL that runs OnionDrop logic |
| data.bin | Large decoy file used to inflate the ZIP archive size |
| gainmsg[.]com/nfront[.]php | LegionLoader command-and-control endpoint observed in the campaign |
The loader uses four unpacking stages before payload execution
OnionDrop stands out because its loader chain adds several layers before the final malware runs. Reports tied to Cyderes research describe custom byte-pair decoding, Xpress Huffman decompression, AES-256-CBC decryption with rotating key material, and final shellcode execution.
A GBHackers report based on Howler Cell findings says the final payloads include LegionLoader, CGrabber Infostealer, and Vidar Stealer. LegionLoader samples were observed contacting gainmsg[.]com.
The loader’s design helps the operator swap payloads between campaign waves. That makes OnionDrop useful as a delivery framework rather than a one-purpose malware family.
- Custom byte-pair decoding rebuilds encoded data.
- Xpress Huffman decompression expands the next stage.
- AES-256-CBC decryption uses rotating or assembled key material.
- Shellcode execution runs the next payload in memory.
OnionDrop uses anti-analysis checks to avoid sandboxes
The loader performs environment checks before executing its main logic. One important check looks at display device names and compares them against expected GPU-related strings such as Intel, AMD, Radeon, NVIDIA, GeForce, RTX, GTX, Arc, and Quadro.
If the system looks like a sandbox or virtual analysis environment, the loader can stop before revealing more behavior. This makes automated malware analysis less reliable because the most important stages may never execute in a lab environment.
Broadcom’s OnionDrop loader malware bulletin also describes the campaign as a malicious DLL sideloading chain connected to more than 645 samples, showing that multiple security vendors are now tracking the threat.
| Technique | Purpose | Defensive focus |
|---|---|---|
| DLL sideloading | Runs malicious code through a trusted executable | Monitor DLL loads from unexpected user-writable paths |
| Stack-string construction | Hides readable strings from static scanners | Use behavioral and memory-based detection |
| GPU string checks | Avoids sandbox and virtual environments | Hunt for execution that stops after environment checks |
| API hammering | Creates noisy telemetry to hide key actions | Correlate high API volume with suspicious process behavior |
| Thread Pool callback execution | Runs shellcode without standard thread-creation patterns | Track memory allocation and callback abuse |
LegionLoader, CGrabber, and Vidar show the campaign’s flexibility
OnionDrop has been observed delivering different malware families across related waves. LegionLoader is a known downloader also tracked as CurlyGate. Vidar is a widely used infostealer, while CGrabber is tied to previous Howler Cell research into a stealthy multi-stage malware chain.
Cyderes previously documented a Direct-Sys Loader and CGrabber Stealer campaign that used multi-stage execution, sandbox checks, cryptographic routines, and extensive credential theft. OnionDrop appears to continue that broader development path with a newer delivery layer.
This matters for defenders because blocking one final payload may not stop the loader. A payload-agnostic loader can deliver a different stealer, downloader, or secondary framework when the operator changes objectives.
Why DLL sideloading remains effective
DLL sideloading works because many Windows applications load supporting libraries from local folders. If an attacker places a malicious DLL with the expected name beside a trusted executable, the trusted executable may load the attacker’s file.
MITRE tracks this behavior under Hijack Execution Flow: DLL Search Order Hijacking. The technique lets attackers hide behind legitimate signed binaries and can bypass weaker application allowlisting rules that trust the executable but not the loaded library.
In this campaign, the trusted executable gives the attack a cleaner first impression. Security teams should therefore inspect both the executable and the DLLs loaded from its working directory, especially when the files arrive together in a downloaded archive.
- Block or quarantine ZIP files that bundle signed executables with unexpected DLLs.
- Alert when AcroBroker.exe loads sqlite.dll from outside expected Adobe directories.
- Inspect large archives that include random-looking decoy files.
- Monitor new DLL execution from Downloads, Temp, Desktop, and other user-writable folders.
- Track outbound traffic to suspicious domains after unusual DLL loads.
The gainmsg C2 link gives defenders a clear network signal
LegionLoader samples tied to the campaign were observed contacting the gainmsg command-and-control path. Defenders can use this as one signal in DNS, proxy, EDR, and firewall telemetry.
Network indicators alone are not enough because threat actors can change domains quickly. However, combining gainmsg-related alerts with process lineage, DLL sideloading events, and downloaded archive metadata gives security teams a stronger detection path.
The Cyderes post says OnionDrop delivery remained active while supporting multiple infostealer campaigns. That makes recurring hunting important, not just one-time blocking.
Indicators of compromise
The following indicators were reported in public coverage of the OnionDrop campaign. Domains are defanged for safer handling.
| Type | Indicator | Description |
|---|---|---|
| URL path | gainmsg[.]com/nfront[.]php | LegionLoader command-and-control endpoint |
| SHA-256 | 8559e535128805f1e31fa7a15b33d25ae498915c7b88ea5142cf38858d551a53 | Initial malicious ZIP sample |
| SHA-256 | f09be48aab38dc85b7ad46efb98897617af66014ded44a7cf1bddaab59d9dad2 | Initial malicious ZIP sample |
| SHA-256 | 18bb95789e8727be0d98d9a5fce027f0f514e74192c7736b3afa297d2ee4a8fb | Malicious DLL module |
| SHA-256 | 070a97bf5bcba13c41266a79357e2a5b8d6f4e353db7427bd8ccabceee5c96e3 | Malicious DLL module |
| SHA-256 | 892f1bd9663c7e14855a0238e0fbb5b2396000b3396ceda79947374a3da78912 | OnionDrop loader sample |
| SHA-256 | c9b96846c9a49ddbed9e143b098972e1d7880654f763bb504d2f7b5d2ab1dafb | OnionDrop loader sample |
| SHA-256 | fb31df58549031f0ea24b250b214cbab9eafa39adaa715c675f328f7370904c7 | CGrabber Infostealer payload |
| SHA-256 | f6e5f7445b9ea717513a04d04acfa343025ca35302d025de33935e176a83f6ae | LegionLoader or CurlyGate payload |
| SHA-256 | 0a8914b4f794ebc8ea1ce08dd4b5da918cd9697443007622100b0ba0731d428c | Vidar Stealer payload |
| File name | sqlite.dll | Malicious sideloaded DLL |
| File name | codecstore384d.dll | Primary malicious DLL |
| File name | data.bin | Decoy file used to inflate archive size |
| File name | setup.exe / AcroBroker.exe | Legitimate Adobe-signed executable abused for sideloading |
How security teams can detect OnionDrop activity
Security teams should treat this campaign as a behavior-hunting problem, not only an IoC-matching problem. The hashes and gainmsg endpoint help, but the loader’s design means new samples can appear quickly.
The HijackLibs detection guidance recommends hunting for sqlite.dll loads from unexpected locations. That is directly relevant because OnionDrop’s archive places the malicious DLL beside the abused Adobe executable.
The Broadcom protection bulletin gives defenders another reference point for identifying OnionDrop-related activity and building detection coverage around the loader campaign.
- Monitor AcroBroker.exe execution from temporary or user download locations.
- Flag sqlite.dll loaded outside normal Adobe installation paths.
- Inspect ZIP archives that contain both a signed executable and local DLLs.
- Detect unusual Thread Pool callback execution following suspicious memory allocation.
- Watch for WinHTTP traffic from processes launched from extracted archives.
- Correlate gainmsg-related network activity with recent archive execution.
OnionDrop shows commodity malware is getting more evasive
OnionDrop’s main lesson is that commodity malware delivery is becoming more technically polished. Techniques once associated with advanced intrusion tooling now appear in campaigns that distribute common stealers at scale.
The earlier Cyderes Direct-Sys Loader research already showed a malware chain built around sideloading, anti-analysis checks, and credential theft. OnionDrop adds a new loader layer that increases the campaign’s flexibility.
The GBHackers coverage also notes that the loader can hand off execution through multiple stages before the final stealer runs. That creates more places for defenders to look, but it also means security tools need strong behavioral visibility.
Organizations should update endpoint detection rules, block known infrastructure, monitor DLL sideloading patterns, and educate users about archives that bundle executable files with extra DLLs. OnionDrop’s payloads may change, but its abuse of trusted executables and staged loading gives defenders several practical hunting paths.
The MITRE ATT&CK technique page also reinforces why defenders should monitor search-order hijacking and signed-binary abuse. When attackers use legitimate executables as loaders, the surrounding files and behavior often reveal the attack before the final payload completes.
FAQ
OnionDrop is a multi-stage malware loader used to deliver payloads such as LegionLoader, CGrabber Infostealer, and Vidar Stealer. It uses DLL sideloading, anti-analysis checks, layered decryption, and in-memory execution to avoid detection.
The campaign begins with a ZIP archive containing a legitimate Adobe-signed executable, malicious DLL files named sqlite.dll and codecstore384d.dll, and a large decoy file named data.bin. Running the executable starts the DLL sideloading chain.
Public reporting links OnionDrop to LegionLoader, also known as CurlyGate, as well as CGrabber Infostealer and Vidar Stealer. Its payload-agnostic design lets operators swap final malware across campaign waves.
The gainmsg[.]com/nfront[.]php endpoint was reported as a LegionLoader command-and-control path observed in the OnionDrop campaign. Defenders can use it as one network indicator alongside process and DLL-loading telemetry.
Defenders should monitor AcroBroker.exe execution from user-writable folders, sqlite.dll loads outside normal Adobe paths, ZIP files that bundle signed executables with DLLs, suspicious Thread Pool callback execution, and outbound traffic to known OnionDrop infrastructure.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages