New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads
A sophisticated multi-stage loader campaign dubbed OnionDrop has been active since February 2026, delivering LegionLoader, CGrabber Infostealer, and Vidar Stealer via a gainmsg C2 server.
A newly identified loader campaign is raising serious concerns across the cybersecurity community. Threat researchers have uncovered an active operation using a sophisticated multi-stage loader called OnionDrop, which is being used to deliver harmful payloads, including the well-known LegionLoader, to a broad range of victims at scale. OnionDrop has been quietly operating since at least February 2026, with over 645 unique malicious DLL samples detected in just about 80 days. The campaign was still active at the time of publication, making it a persistent and growing threat that defenders need to take seriously right now.
What makes this loader stand out is not just the payloads it delivers, but the extraordinary level of technical sophistication packed into the loader itself. Analysts from Cyderes, through their Howler Cell Threat Research Team, published a detailed breakdown of OnionDrop, identifying it as the third documented component in a broader campaign they have tracked since the CGrabber Infostealer and Direct-sys Loader operations. Cyderes said in a report shared with Cyber Security News that the evasion architecture built into OnionDrop rivals, and in some areas exceeds, what is typically seen in purpose-built nation-state tooling.
The attack chain begins with a ZIP archive containing a legitimate Adobe-signed executable, originally named AcroBroker.exe, alongside two malicious DLL files named sqlite.dll and codecstore384d.dll. The archive also contains a 100MB decoy file named data.bin, filled with random bytes to artificially bloat the archive size and complicate analysis. Once the Adobe executable runs, it sideloads sqlite.dll, which then loads the primary malicious DLL. From there, OnionDrop walks through four distinct unpacking stages: custom byte-pair decoding, Xpress Huffman decompression, AES-256-CBC decryption with rotating key material, and final shellcode execution through Thread Pool callback abuse via TpPostWork.
What separates OnionDrop from typical commodity loaders is the depth of its anti-analysis capabilities. The malware uses stack-string construction to hide sensitive function names, dynamically resolving them at runtime instead of storing them in readable form. It also uses API hammering, a technique that floods sandbox traces with irrelevant API calls, making it much harder for automated systems to pinpoint actual malicious behavior. Before executing its core logic, OnionDrop checks the system's display device name against a hardcoded list of valid GPU strings such as INTEL, AMD, RADEON, and NVIDIA. If the system appears to be a virtual environment or sandbox with a non-standard display adapter, execution halts immediately.
The final payload, LegionLoader, decrypts its embedded configuration using RC4 and reaches out to its command-and-control server at gainmsg[.]com/nfront[.]php. This C2 infrastructure serves as the backbone through which stolen data and further instructions flow. Researchers confirmed the same loader chain also delivered CGrabber Infostealer and Vidar Stealer in related campaign waves. This points to a highly organized, high-tempo threat actor running multiple infostealer operations simultaneously with no real signs of slowing down.
Security teams are encouraged to monitor for the known indicators of compromise tied to this campaign, block connections to the identified C2 domain, and ensure endpoint detection rules are updated to flag DLL sideloading behaviors involving Adobe-signed executables arriving inside ZIP archives. The campaign's payload-agnostic design and nation-state-grade evasion techniques make it a significant threat that requires immediate attention from defenders.