legion

Also known aslegion

Legion is described in the provided content in two contexts: as a cloud infostealer/cloud attack tool family, and as a pro-Russian criminal or hacktivist group linked to disruptive activity. In the malware context, Legion is grouped with AlienFox, GreenBot, and Predator as a cloud attack tool or malware family that shares Androxgh0st-derived code. It is characterized as a cloud infostealer with functional and design similarities to FBot, and the content assesses that the Legion maintainer may have adapted code from FBot. Related samples reportedly used the robertkalinkin.com website to authenticate PayPal API requests. In the geopolitical context, the content mentions a 'Legion Hacktivist Group' and states that Norway's National Security Authority previously linked a pro-Russian group known as Legion to DDoS attacks that disrupted important websites and online services. Based on the provided content alone, Legion is associated with cloud credential theft/account abuse tooling and, separately, with pro-Russian disruptive DDoS activity; the relationship between these references is not established in the source material.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services
Financial Services

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

sentinelone labsNews

May 7, 2026

Exploring FBot | Python-Based Malware Targeting Cloud and Payment Services | SentinelOne

Cloud infostealer related to FBot, sharing similar functionality for scraping URLs for PHP configuration and targeting cloud/service credentials.

bleeping computerNews

Dec 19, 2025

Denmark blames Russia for destructive cyberattack on water utility

Legion is a pro-Russian criminal group known for conducting DDoS attacks against important websites and online services, disrupting operations as part of broader Russian-aligned cyber activities.

wikipedia cyber incidentsNews

Mar 18, 2026

Pages that link to "List of security hacking incidents" - Wikipedia

Legion Hacktivist Group

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.