Loda
Loda is a remote access trojan (RAT) observed in campaigns attributed to TA558. In the provided reporting, TA558 targeted travel and hospitality organizations, particularly using fake reservation-themed phishing emails, often in Portuguese or Spanish and sometimes using the subject or attachment name "reserva." Delivery methods included URLs leading to container files such as ISO and RAR/ZIP archives containing executables. Earlier TA558 activity also used Microsoft Office-based infection chains, including exploitation of CVE-2017-11882 and later template injection and macro-laced attachments, to download RAT payloads, most commonly Loda or Revenge RAT, onto victim machines. The delivered RATs were characterized as enabling reconnaissance, data theft, and delivery of follow-on payloads. The activity was reported against organizations primarily in Latin America, and at times in North America and Western Europe, with a focus on travel, hospitality, and related industries. TA558 is assessed in the cited reporting as financially motivated.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“In 2022, campaigns delivered a mixture of malware such as, Loda, Revenge RAT, and AsyncRAT.”
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“In 2022, campaigns delivered a mixture of malware such as, Loda, Revenge RAT, and AsyncRAT.”
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThis report focuses on the URLs embedded in emails that bypassed email security controls like secure email gateways (SEGs) to deliver malware.
Infection URLs are embedded in emails and represent the first action that a victim must take to become infected.
Execution
1 techniqueInfection URLs are the first step in a chain of events leading to an infection by malware. They are embedded in emails and represent the first action that a victim must take to become infected.
Command and Control
2 techniquesSeveral of the more well-known legitimate services include OneDrive, Dropbox, MediaFire, Discord, Google services such as Docs and Drive, GitHub, and WeTransfer.
Although these URLs often lead directly to a file download or intermediary service with a link to a file download, sometimes legitimate redirect services, such as bit[.]ly, are used.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.