Lokibot
LokiBot is an information-stealing malware family and keylogger. The provided content states that it steals credentials from multiple sources, including web browsers (including Safari and Chromium- and Mozilla Firefox-based browsers), Windows OS credential stores, email clients, FTP and SFTP clients, and in one report web browsers, FTP servers, and SMTP servers. Additional reporting in the content notes it can target data from at least 25 web browsers, search for credentials in email clients, file transfer clients, and systems running email or web servers, and exfiltrate stolen data by initiating contact with command-and-control infrastructure over web protocols/C2 channels.
Behavior and ATT&CK-mapped capabilities explicitly mentioned in the content include keylogging, credentials from password stores, exfiltration over C2, process hollowing, reflective code loading, registry modification, scheduled task creation, file deletion to remove indicators, file/system/network/user discovery, hidden files and directories, time-based sandbox evasion, abuse of PowerShell, Windows Command Shell, and Visual Basic for execution, and bypass of User Account Control. The content also references embedded batch-script commands such as "schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I" and notes use of PowerShell commands embedded inside batch scripts.
Delivery and infection vectors described in the content include spearphishing attachments, malicious files, malicious XLS attachments in spearphishing emails, and lures that trick users into enabling malicious macros via "Enable Content." One report describes a malicious PDF carrying an embedded XLS spreadsheet used to deliver LokiBot; the PDF SHA-256 is da9c3deb08bfc6a2e7930a4c8f1bd81b5ebffbb09b44027c74ea41ebf7149f8b and the extracted XLS SHA-256 is 825b7a64db82a61656c8004bef49823d5b9fe4f52fae744f5dc927b3e75a994b. The content also states GuLoader has been used to distribute LokiBot.
The malware is associated in the content with commodity cybercrime activity, including Nigerian business email compromise ecosystems tracked as SilverTerrier and the TMT group, which used publicly available spyware/RATs including LokiBot to steal credentials and compromise mailboxes. The content also notes LokiBot remains prevalent in public malware telemetry and sandbox submissions.
A malware-analysis artifact in the content references a GitHub Gist titled "unpack_3rdstage_lokibot.py" for decoding a LokiBot third-stage payload from "server_response.txt" by reversing the string, hex-decoding it, XORing with key "ZKkz8PH0," and writing the result to "decoded.dll_."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Older Microsoft Office flaws (CVE-2017-11882, CVE-2017-0199) that remain unpatched in many organizations were also leveraged. | Indicators of Compromise (IoCs):- ... Malware LokiBot Infostealer deployed via legacy Office exploit chains
Older Microsoft Office flaws (CVE-2017-11882, CVE-2017-0199) that remain unpatched in many organizations were also leveraged. | Indicators of Compromise (IoCs):- ... Malware LokiBot Infostealer deployed via legacy Office exploit chains
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).
The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.
"...we found several different families of RATs and infostealers. These included Lokibot, Betabot, Formbook, and AgentTesla."
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueAdditionally, the branding of trusted organizations (for example the World Health Organization (WHO)) is abused in order to build credibility and trust in order to have people, for example, open malicious attachments or web pages.
Execution
5 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | The content repeatedly mentions '.bat', '.cmd', and 'batch scripts' used to automate execution, persistence, cleanup, deployment, disabling security tools, and ransomware operations. Examples: 'APT1 has used ... batch scripting to automate execution', 'Blue Mockingbird has used batch script files to automate execution and deployment of payloads', and 'Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.'
The content repeatedly mentions malicious macros in Word/Excel documents, such as "enable macros," "embedded macros," and "macro-enabled documents."
By relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.
Persistence
2 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Privilege Escalation
2 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Avaddon modifies several registry keys for persistence and UAC bypass. LockBit 2.0 can create Registry keys to bypass UAC and for persistence. Lokibot has modified the Registry as part of its UAC bypass process.
Stealth
4 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
CHIMNEYSWEEP can use the Windows SilentCleanup scheduled task to enable payload execution.
Defense Impairment
1 techniqueCredential Access
4 techniquesThe info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).
Information stealers seem to be the preferred type of malware to help in their fraudulent email attacks... The attacker can pilfer data about the targets and use it to create efficient messages for diverting transactions or asking money to be sent to fraudsters' account.
Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles... APT33 has used a variety of publicly available tools like LaZagne to gather credentials... Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI. | APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords... DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials... PoshC2 can decrypt passwords stored in the RDCMan configuration file... Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Discovery
4 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Looking at a LokiBot sample this year, researchers noticed the following capabilities: anti-analysis... checking for email and web servers running on the machine
Collection
1 techniqueCommand and Control
2 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
MITRE ATT&CK Technique Malware Families T1105 0bj3ctivity Stealer, Agent Tesla, Amadey, AsyncRAT, Castle RAT, DarkCrystal RAT, gh0st RAT, Lokibot, njRAT, PlugX, QuasarRAT, RedLine Stealer, Remcos
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Impact
1 techniqueScammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.
Other
1 techniqueIOCs tracked for this family
2,735 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
84 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Infostealer deployed via legacy Microsoft Office exploit chains.
Mentioned as a malware family that uses the resource section to hide payloads.
Gremlin stealer uses the resource section to mirror the tactics of several high-profile malware families that frequently use this area for payload obfuscation, including: Agent Tesla, GuLoader, LokiBot, Quasar RAT.
Trojan stealer in the analyzed set that shares common behaviors including payload download, browser credential theft, registry modification, scheduled task persistence, and web-protocol C2 communications.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.