Lokibot
LokiBot is a long-running information stealer and keylogger first advertised in May 2015 on an underground forum by actors using the nicknames "lokistov" and "carter." It remains active and widely used, and the source-code leak in 2018 led to multiple forks and modified variants, including versions with Android support, keylogging, and remote-access features. It has been prominent in cybercrime activity and was cited as one of the top banking trojan and information-stealer families in Asia and the South Pacific, one of the most prevalent malware families in public sandbox submissions, and a commonly used stealer in SilverTerrier-linked business email compromise operations.
Its primary function is credential theft. Reported targets include more than 100 applications, with theft from Chromium-, Firefox-, and Safari-based browsers; Windows OS credentials; email clients; FTP and SFTP clients; cryptocurrency wallets; password managers; and other applications. It can discover the username on the infected host, compress stolen data with aPLib, and exfiltrate it to command-and-control infrastructure over HTTP. LokiBot has also been observed initiating regular C2 communications, with C2 addresses stored in samples using 3DES encryption.
Observed delivery commonly relies on phishing and malspam attachments. Documented vectors include spearphishing emails carrying malicious XLS attachments and campaigns using heavily obfuscated JScript attachments executed by Windows Script Host. In the analyzed multi-stage chain, the JScript decodes a Base64 PowerShell stage, writes it to C:\Temp, and executes it; the PowerShell stage decrypts and reflectively loads a ConfuserEx-protected .NET injector; and the injector spawns and injects the final payload into aspnet_compiler.exe. LokiBot has also used PowerShell commands embedded in batch scripts, and one sample embedded the command "schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I" in a batch script. Social-engineering behavior includes prompting victims to click "Enable Content" in malicious email attachments to enable macros.
On infected systems, LokiBot can copy itself to a hidden file and directory and has attempted persistence via a registry Run key, although newer builder-generated samples were reported to have a broken persistence mechanism. It uses runtime API resolution via custom hashing and creates a mutex derived from the MD5 hash of the machine's unique registry identifier to enforce single-instance execution. Updated variants have also been reported using steganography to hide code inside JPG files.
LokiBot has been associated with infrastructure and delivery ecosystems used by multiple threat actors and malware operators. It was observed in leaked BraZZZerS Fast Flux logs, cited as a malware family distributed by GuLoader, and noted as one of the malicious campaigns that leveraged Ngrok. In SilverTerrier reporting, LokiBot was the most popular information stealer by unique monthly samples. High-confidence indicators from the analyzed campaign include SHA256 hashes c099f965144bccd0b590f946659fc3c0747c54aef505b6caaca9078712f455fb, 64c7dd0a3a3ae49977ac05913d3878000cce14e5d8c1ee05b782bdfd648bde91, ad10ff9043d6f327045943635fcbd0c5918acb79dc998db92ee4c7dee5224710, 4c9f271242f61f1a31b8146305e9a7ed512c521445d4f7a7a901e301307add3d, and 5864a697bd7b339f56b05405f29a097cd027cafdcc4e63c2aaeccccbf930605f; the dropper filename gruijvdsdbcmcvbtryedfhpoibbedflokjqnb.js; IP 158.94.211.95; domains kbfvzoboss.bid, alphastand.trade, alphastand.win, and alphastand.top; and C2 endpoints including /alien/fre.php and /kelly/five/fre.php.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Older Microsoft Office flaws (CVE-2017-11882, CVE-2017-0199) that remain unpatched in many organizations were also leveraged. | Indicators of Compromise (IoCs):- ... Malware LokiBot Infostealer deployed via legacy Office exploit chains
Older Microsoft Office flaws (CVE-2017-11882, CVE-2017-0199) that remain unpatched in many organizations were also leveraged. | Indicators of Compromise (IoCs):- ... Malware LokiBot Infostealer deployed via legacy Office exploit chains
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).
The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.
"...we found several different families of RATs and infostealers. These included Lokibot, Betabot, Formbook, and AgentTesla."
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
Once executed, the script decodes a Base64-encoded PowerShell script, saves it to the C:\Temp folder with a random filename, and runs it.
The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | The content repeatedly mentions '.bat', '.cmd', and 'batch scripts' used to automate execution, persistence, cleanup, deployment, disabling security tools, and ransomware operations. Examples: 'APT1 has used ... batch scripting to automate execution', 'Blue Mockingbird has used batch script files to automate execution and deployment of payloads', and 'Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.'
Opening the file causes Windows to run it through the built-in Windows Script Host program. The script is heavily obfuscated using decoy functions and hexadecimal-named variables to slow down analysis.
By relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
11 techniques
Stealth
The script is heavily obfuscated using decoy functions and hexadecimal-named variables to slow down analysis... The loaded .NET assembly, protected with the ConfuserEx obfuscator, acts as an injector.
Defense Evasion. Загрузчик скачивает стего-контейнер с легитимного или скомпрометированного хоста. Работают сразу две техники: Steganography (T1027.003) для обфускации пейлоада...
To stay hidden, LokiBot avoids importing most Windows API functions directly and instead resolves them at runtime using a custom hashing technique.
Defense Evasion. ...Работают сразу две техники: Steganography (T1027.003) для обфускации пейлоада и Embedded Payloads (T1027.009) для сокрытия кода внутри медиафайла.
As shown in the output of the patched assembly (Figure 7), a new aspnet_compiler.exe process is spawned.
It spawns a legitimate aspnet_compiler.exe process, allocates memory inside it, and writes the final LokiBot payload into that space. This process injection technique allows the malware to run inside a trusted Windows process, making it harder to flag.
Once executed, the script decodes a Base64-encoded PowerShell script... The PowerShell stage then decrypts a .NET assembly payload using XOR with a hard-coded key.
It spawns a legitimate aspnet_compiler.exe process... This process injection technique allows the malware to run inside a trusted Windows process, making it harder to flag.
Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.
Credential Access
2 techniques
Credential Access
Discovery
4 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Collection
3 techniques
Collection
Banking trojans and information stealers materialized as the second most prevalent type of cybercrime, with malware families like RedLine, Lumma, LokiBot, Negasteal, and ZBot taking up the top spots.
Command and Control
4 techniques
Command and Control
After harvesting credentials, LokiBot compresses the stolen data using aPLib and sends it to a command-and-control server.
Every minute, it sends an HTTP request containing information about the infected system and spawns a separate thread to process the server's response and execute any received commands.
IOCs tracked for this family
2,752 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
93 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential-stealing malware that harvests usernames and passwords from more than a hundred applications, including browsers, cryptocurrency wallets, email clients, and FTP tools. In this campaign it is delivered via a phishing email with a JScript attachment, followed by PowerShell, an in-memory .NET injector, and process injection into aspnet_compiler.exe. It compresses stolen data with aPLib and sends it to a command-and-control server, and may attempt persistence via a registry run key.
LokiBot is a long-running infostealer focused on harvesting credentials from more than a hundred software products, including browsers, cryptocurrency wallets, password managers, email clients, and FTP clients. In the analyzed campaign it was delivered via malspam as an obfuscated JScript attachment, which launched a PowerShell loader and a .NET injector before injecting the final LokiBot payload. The malware steals credentials, compresses and exfiltrates them to C2 infrastructure, establishes persistence, and polls the C2 for additional commands.
A banking trojan and information stealer listed among the most prevalent malware families in Asia and the South Pacific.
Инфостилер, крадущий учётные данные; обновлённые варианты используют стеганографию для сокрытия кода внутри JPG-файлов.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.