Lokibot
LokiBot is an information-stealing malware family and keylogger. The provided content states that it steals credentials from multiple sources, including Windows OS credentials, web browsers (including Safari and Chromium- and Mozilla Firefox-based browsers), email clients, FTP clients, and SFTP clients. It has also been described as stealing credentials from web browsers, FTP servers, and SMTP servers, and researchers observed it targeting data from at least 25 web browsers. LokiBot can initiate contact with command-and-control infrastructure and exfiltrate stolen data over its C2 channel. Reported capabilities and ATT&CK-style behaviors in the content include keylogging, use of web protocols for C2, process hollowing, reflective code loading, scheduled-task persistence, registry modification, file deletion to remove indicators, file/system/network/user discovery, hidden files and directories, time-based sandbox evasion, and bypass of User Account Control. The content also notes execution via Visual Basic, Windows Command Shell, and PowerShell, including PowerShell commands embedded in batch scripts and use of schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I inside a batch script. Infection and delivery vectors directly mentioned include spearphishing attachments, malicious files, malicious XLS attachments in spearphishing emails, and lures that trick victims into clicking "enable content" to enable malicious macros. One report in the content says updated LokiBot variants use steganography to hide code inside JPG files, pairing a .jpg file with a .exe component. LokiBot is also described as being distributed by GuLoader and as being used by Nigerian business email compromise actors tracked as SilverTerrier/TMT, who used commodity malware including LokiBot to steal credentials and compromise mailboxes. The content further references a third-stage LokiBot payload analysis utility that decoded an obfuscated server response into a DLL using reversed hex decoding and XOR with the key "ZKkz8PH0." High-confidence indicators explicitly provided in the content include SHA-256 da9c3deb08bfc6a2e7930a4c8f1bd81b5ebffbb09b44027c74ea41ebf7149f8b for a malicious PDF used to deliver LokiBot, SHA-256 825b7a64db82a61656c8004bef49823d5b9fe4f52fae744f5dc927b3e75a994b for an extracted malicious XLS attachment, and the XOR key "ZKkz8PH0" associated with unpacking a LokiBot third-stage payload.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Older Microsoft Office flaws (CVE-2017-11882, CVE-2017-0199) that remain unpatched in many organizations were also leveraged. | Indicators of Compromise (IoCs):- ... Malware LokiBot Infostealer deployed via legacy Office exploit chains
Older Microsoft Office flaws (CVE-2017-11882, CVE-2017-0199) that remain unpatched in many organizations were also leveraged. | Indicators of Compromise (IoCs):- ... Malware LokiBot Infostealer deployed via legacy Office exploit chains
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).
The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.
"...we found several different families of RATs and infostealers. These included Lokibot, Betabot, Formbook, and AgentTesla."
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueAdditionally, the branding of trusted organizations (for example the World Health Organization (WHO)) is abused in order to build credibility and trust in order to have people, for example, open malicious attachments or web pages.
Execution
5 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | The content repeatedly mentions '.bat', '.cmd', and 'batch scripts' used to automate execution, persistence, cleanup, deployment, disabling security tools, and ransomware operations. Examples: 'APT1 has used ... batch scripting to automate execution', 'Blue Mockingbird has used batch script files to automate execution and deployment of payloads', and 'Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.'
The content repeatedly mentions malicious macros in Word/Excel documents, such as "enable macros," "embedded macros," and "macro-enabled documents."
By relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.
Persistence
2 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Privilege Escalation
2 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Avaddon modifies several registry keys for persistence and UAC bypass. LockBit 2.0 can create Registry keys to bypass UAC and for persistence. Lokibot has modified the Registry as part of its UAC bypass process.
Stealth
6 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
Defense Evasion. Загрузчик скачивает стего-контейнер с легитимного или скомпрометированного хоста. Работают сразу две техники: Steganography (T1027.003) для обфускации пейлоада...
Defense Evasion. ...Работают сразу две техники: Steganography (T1027.003) для обфускации пейлоада и Embedded Payloads (T1027.009) для сокрытия кода внутри медиафайла.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Decoding. Извлечение нагрузки - Deobfuscate/Decode Files or Information (T1140). Алгоритм декодирования зашит в загрузчик.
CHIMNEYSWEEP can use the Windows SilentCleanup scheduled task to enable payload execution.
Defense Impairment
1 techniqueCredential Access
4 techniquesThe info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).
Information stealers seem to be the preferred type of malware to help in their fraudulent email attacks... The attacker can pilfer data about the targets and use it to create efficient messages for diverting transactions or asking money to be sent to fraudsters' account.
Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles... APT33 has used a variety of publicly available tools like LaZagne to gather credentials... Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI. | APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords... DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials... PoshC2 can decrypt passwords stored in the RDCMan configuration file... Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Discovery
4 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Looking at a LokiBot sample this year, researchers noticed the following capabilities: anti-analysis... checking for email and web servers running on the machine
Collection
1 techniqueCommand and Control
2 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
MITRE ATT&CK Technique Malware Families T1105 0bj3ctivity Stealer, Agent Tesla, Amadey, AsyncRAT, Castle RAT, DarkCrystal RAT, gh0st RAT, Lokibot, njRAT, PlugX, QuasarRAT, RedLine Stealer, Remcos
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Impact
1 techniqueScammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.
IOCs tracked for this family
2,735 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
85 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Инфостилер, крадущий учётные данные; обновлённые варианты используют стеганографию для сокрытия кода внутри JPG-файлов.
Infostealer deployed via legacy Microsoft Office exploit chains.
Mentioned as a malware family that uses the resource section to hide payloads.
Gremlin stealer uses the resource section to mirror the tactics of several high-profile malware families that frequently use this area for payload obfuscation, including: Agent Tesla, GuLoader, LokiBot, Quasar RAT.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.