New Python-Based Malware “Legion” Includes AWS Credential Harvesting and SMTP Hijacking Capabilities

Researchers disclose technical details of new python-based malware, “Legion.”

On April 13, 2023, Cado Labs researchers reported the technical details of a new malware they dubbed “Legion.”

Context

According to the report, Legion is written in Python and includes credential harvesting and SMTP hijacking capabilities. Researchers reported that the tool is currently being sold on Telegram.

Technical Details

According to researchers, key features of Legion include modules dedicated to:

  • enumerating vulnerable SMTP servers,
  • conducting Remote Code Execution (RCE),
  • exploiting vulnerable versions of Apache,
  • brute-forcing cPanel and WebHost Manager (WHM) accounts,
  • interacting with Shodan’s API to retrieve a target list (providing you supply an API key) and
  • additional utilities, many of which involve abusing AWS services

Cado Labs researchers also assessed that Legion is related to a previously reported malware named AndroxGh0st.

Researchers also noted that as of their reporting time, no detections were available in VirusTotal for Legion.  However, there are currently multiple detections for both files analyzed in the report, legion[.]py (VT Detections here) and legion[.]py (variant) (VT detections here).

IOCs

Cado Labs researchers provided the following indicators of compromise (IOCs):

Indicator

Type

Notes

fcd95a68cd8db0199e2dd7d1ecc4b76265
32681b41654519463366e27f54e65a

SHA256

legion.py

42109b61cfe2e1423b6f78c093c3411989
838085d7e6a5f319c6e77b3cc462f3

SHA256

legion.py (variant)

More Recent Blog Posts

Executive Summary On 02 July 2026, SOCRadar researchers linked the financially-motivated campaign dubbed “FortiBleed” to the Ransom and Lynx ransomware operations, marking the...

Executive Summary On 19 June 2026, the threat group Icarus claimed to have compromised and exfiltrated data from customers of Klue, specifically the...

Executive Summary A report published by The Hacker News on 17 June 2026 detailed a software supply chain attack impacting 144 npm packages...