top of page

New Python-based credential harvester and hacking tool Legion being marketed via Telegram

A new Python-based credential harvester and hacking tool called Legion is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation. According to Cado Labs, Legion includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and WebHost Manager (WHM) accounts. The malware is said to bear similarities to another malware family called AndroxGh0st that was first documented by cloud security services provider Lacework in December 2022. Cybersecurity firm SentinelOne, in an analysis published late last month, revealed that AndroxGh0st is part of a comprehensive toolset called AlienFox that's offered to threat actors to steal API keys and secrets from cloud services. "Legion appears to be part of an emerging generation of cloud-focused credential harvester/spam utilities," security researcher Matt Muir told The Hacker News. "Developers of these tools often steal each other's code, making attribution to a particular group difficult." Besides using Telegram as a data exfiltration point, Legion is designed to exploit web servers running content management systems (CMS), PHP, or PHP-based frameworks like Laravel. "It can retrieve credentials for a wide range of web services, such as email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe and PayPal," Cado Labs said. This new tool is yet another example of the ongoing arms race between hackers and cybersecurity professionals. As companies move more and more of their infrastructure and data to the cloud, hackers are following suit and developing new tools specifically for targeting cloud services. While the attribution of these tools is often difficult, what is clear is that the trend of cloud-focused hacking tools is only going to continue to grow. For companies, this means that they need to be vigilant in securing their cloud services and monitoring for any suspicious activity.


bottom of page