December 9, 2023

Researchers have identified a tool dubbed as Legion that can scan Shodan to identify misconfigured cloud servers and then take over SMTP email marketing programs or launch phishing campaigns.

Legion focuses on enumerating vulnerable SMTP servers, conducting remote code execution, and exploits vulnerable versions of Apache. The tool has been targeting 19 different cloud services, including AWS, PayPal, Stripe, and Twilio.


Legion can also send SMS text messages to launch mobile-based phishing and disinformation campaigns and has targeted 14 different telecoms, including AT&T, Sprint, T-Mobile, and Verizon.

Securing environment files from public exposure can protect from this tool. The file, in general, is a text file used to store credentials.

Researchers consider Legion an emerging generation of cloud-focused credential harvester utilities. These tool creator often steal each other’s code, making attribution to a particular group difficult.

Legion also bears some similarities to tools such as Andr0xGhost and AlienFox. These tools are often distributed via Telegram, and their features make them attractive to those wishing to conduct mass spam or phishing operations.


It’s important to note that the credentials being harvested in this case are potentially privileged API credentials. Attackers often look to get access to an API using credentials or tokens obtained through nefarious means. Once they gain the valid privileged credential or token, the attacker can leverage the API to exfiltrate data or compromise a service.

This research was documented by researchers from Cadio

1 thought on “Legion Abuses Cloud in its Attack

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.