Legion, a Python-based credential harvester, is advertised as a tool for threat actors to hack different online services. Although the discovered sample has not been picked up by any antivirus engines on VirusTotal, this hacking tool is identical to another malware family named AndroxGh0st.
According to Cado Labs, Legion’s primary objective is to enable attackers to commandeer the services and weaponize the infrastructure for additional assaults like creating massive spam campaigns and seizing phishing opportunities. It leverages Telegram conversation to stealthily exfiltrate data and is sold over Telegram messenger. It is also made to take advantage of web servers running content management systems, PHP, or PHP-based frameworks like Laravel.