{
	"id": "6bb9eafe-2225-48dc-b565-b4a02e5be73a",
	"created_at": "2026-04-06T00:14:24.598779Z",
	"updated_at": "2026-04-10T13:12:55.370572Z",
	"deleted_at": null,
	"sha1_hash": "0841f8e488d297c3270a6eee932d909f5678e61f",
	"title": "Loki Info Stealer Propagates through LZH Files",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 349819,
	"plain_text": "Loki Info Stealer Propagates through LZH Files\r\nArchived: 2026-04-05 20:28:38 UTC\r\nInsights and analysis by Miguel Ang\r\nLZH files, more commonly used in Japan for compressing files, have also been used to deliver other malware such as\r\nNegasteal and Ave Maria.\r\nThe malicious LZH file attachment comes from an email posing as a payment confirmation advice from a bank. The\r\nattachment is named “payment confirmation.lzh”.\r\nFigure 1. Sample email delivering Loki through LZH attachment\r\nThe LZH archive attachment contained the Loki dropper named bFbnF2vovw15SVM.exe. It also has a folder named\r\n“crypted_files,” which contains an empty folder named “myself_crypted” inside. This was either the result of an error in\r\narchiving the sample or was meant to be used to contain additional components or payloads.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files\r\nPage 1 of 4\n\nFigure 2. Attachment contents\r\nFigure 3. Contents of the “crypted files” folder\r\nThe Loki dropper uses .NET compiled binaries to add multiple layers of obfuscation. It eventually uses process hollowing to\r\nload and execute the main Loki payload. This method is reminiscent of the campaign that propagates Loki through CAB file\r\nattachmentsnews- cybercrime-and-digital-threats. The main Loki payload that it drops also has the same hash as the variant\r\nconcealed through CAB files, indicating that both samples are under the same ongoing campaign.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files\r\nPage 2 of 4\n\nFigure 4. Obfuscated compiled binaries\r\nDetachment from malicious files\r\nCybercriminals can use a variety of file attachments to spread malware, ranging from more common file types like Word\r\nDocument or PDF, to less familiar ones like CAB or LZH files. Regardless of the file type used to conceal it, the fact\r\nremains that malware can compromise systems, disrupt device performance, or steal data. The following best practicesnews-cybercrime-and-digital-threats can help prevent malware infections:\r\nDo not download attachments or click links on emails from unknown sources. This may lead to the installation of\r\nmalware. Users may check where the embedded links lead to by hovering the pointer over the link.\r\nRead emails carefully to gauge the credibility of its contents. Some giveaway signs of spam are bad grammar,\r\nmisspelled words, and unfamiliar or spoofed email addresses.\r\nAvoid sharing contact details and other sensitive information on public web forums or social media.\r\nFor a more proactive defense against threats that use emails as entry points, the following solutions are recommended:\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts – Stops email-based threats including spam, ransomware,\r\nand targeted attacks through advanced analysis and custom sandboxing.\r\nTrend Micro™ Email Securityproducts – Employs sandbox for unknown files and URL, email sender analysis and\r\nauthentication, and checking of email header and content for signs of compromise.\r\nTrend Micro™ Cloud App Securityproducts – Protects file sharing from malware and controls sensitive data usage.\r\nIndicators of Compromise\r\nURL\r\nhxxp://retrak.co[.]ke/psy/five/fre.php\r\nFile Name SHA-256\r\nTrend Micro\r\nPattern Detection\r\nbFbnF2vovw15SVM.exe  e6adc1df97033110cdf1bd9e9763559fe17811e2234013e4d57fa23b6ddbb207 TrojanSpy.Win32.LOKI.TIO\r\npayment\r\nconfirmation.lzh  \r\nfb37c52635a47cacba754f811ec64937aa6da3c0ced0162c201748b38952e164 TrojanSpy.Win32.LOKI.TIO\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files\r\nPage 3 of 4\n\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files"
	],
	"report_names": [
		"loki-info-stealer-propagates-through-lzh-files"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434464,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0841f8e488d297c3270a6eee932d909f5678e61f.pdf",
		"text": "https://archive.orkl.eu/0841f8e488d297c3270a6eee932d909f5678e61f.txt",
		"img": "https://archive.orkl.eu/0841f8e488d297c3270a6eee932d909f5678e61f.jpg"
	}
}