{
	"id": "c368c3ad-0bf8-4083-bdb5-9a51c18fc6a1",
	"created_at": "2026-04-06T00:07:25.319413Z",
	"updated_at": "2026-04-10T03:25:27.22389Z",
	"deleted_at": null,
	"sha1_hash": "0dff41a85be2cd0c63fcb9e09c3a235d2e4a45ca",
	"title": "Get a Loda This: LodaRAT meets new friends",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 117430,
	"plain_text": "Get a Loda This: LodaRAT meets new friends\r\nBy Chris Neal\r\nPublished: 2022-11-17 · Archived: 2026-04-05 15:28:48 UTC\r\nThursday, November 17, 2022 08:01\r\nLodaRAT samples were deployed alongside other malware families, including RedLine and Neshta.\r\nCisco Talos identified several variants and altered versions of LodaRAT with updated functionality have\r\nbeen seen in the wild.\r\nChanges in these LodaRAT variants include new functionality allowing proliferation to attached removable\r\nstorage, a new string encoding algorithm and the removal of “dead” functions\r\nA relatively unknown VenomRAT variant named S500 has been observed deploying LodaRAT.\r\nSince our first blog post in February of 2020 on the remote access tool (RAT) known as LodaRAT (or Loda),\r\nCisco Talos has monitored its activity and covered our findings in subsequent blog posts, listed below:\r\nLodaRAT Update: Alive and Well\r\nKasablanka Group's LodaRAT improves espionage capabilities on Android and Windows\r\nAs a continuation of this series, this blog post details new variants and new behavior we have observed while\r\nmonitoring LodaRAT over the course of 2022. In this post, we will take an in-depth look at some of the changes in\r\nthese variants. As detailed below, some changes are rather small; however, some variants have made significant\r\nalterations, including both removal of code and implementing additional functionality.\r\nIn addition to these findings we have discovered that Loda appears to have garnered attention from various threat\r\nactors. In a handful of the instances we identified, Loda was deployed alongside–or dropped by–other malware.\r\nThese include RedLine, Neshta and a previously undocumented VenomRAT variant named S500.\r\nChanges in Loda and its variants\r\nLodaRAT is written in AutoIt, a well known scripting language typically used to automate administrative tasks in\r\nWindows. AutoIt scripts can be compiled into standalone binaries, allowing them to be executed on a Windows\r\nmachine whether or not AutoIt is installed on the host. The original source code can be easily retrieved from these\r\ncompiled binaries by using an AutoIt decompiler.\r\nAs discussed in our previous blog posts, LodaRAT will typically utilize function obfuscation, as well as string\r\nencoding to impede analysis. However, there are many examples which are non-obfuscated that contain the\r\noriginal function names and strings. If a threat actor does not have access to its source code through other means,\r\nall that is required to create their own variant of Loda is decompile the script, make the desired changes, and then\r\nrecompile it. In addition, LodaRATs C2 communications are not encrypted, making it trivial to implement a\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 1 of 17\n\ncustom C2 infrastructure. This ease of source code retrieval and customization has likely contributed to the\r\nproliferation of numerous variants and customized versions of LodaRAT.\r\nAs such, due to the variations between the samples we observed, the changes discussed in this blog post are from\r\nmultiple variants and altered versions of LodaRAT, therefore each change does not apply to every variant. It is\r\nquite common to find altered versions of LodaRAT, and it should be expected that most samples will likely have\r\nsome sort of alteration to the source code.\r\nC2 beacon\r\nInitially, LodaRAT’s authors, a group named Kasablanka, would release official updated versions, with each\r\niteration either adding or removing functionality or simply optimizing code. These versions were given a\r\ncorresponding version number which were embedded in the C2 beacon. The last known version number as of this\r\nwriting is 1.1.8, shown below:\r\nOlder C2 beacon showing version number 1.1.8 \r\nIn the most recent Loda samples we’ve analyzed, the version numbers have been removed entirely from the C2\r\nbeacons and are replaced with the IP address of the infected host, although for unknown reasons, the “beta” tag\r\nremains. This change appears to be universal across the recent variants of LodaRAT.\r\nNew C2 beacon without version number\r\nOne notable, though minor, addition in most of the variants is the ability to identify Windows 11 hosts. Once the\r\nversion is identified the information is sent back to C2 in the initial beacon.\r\nWindows 11 detection function\r\nAnti-malware software detection\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 2 of 17\n\nIn one heavily altered version of Loda\r\n(c73771b3b8c6e548724dd02e5f12380a9160323d88dbdbe12d388ade0f7bc1e2), the function that detects anti-malware processes has been rewritten. This new function searches for thirty different process names, whereas the\r\noriginal and most variants perform a WMI query to enumerate all AV processes. It is worth noting that this new\r\nimplementation is far less effective than the previous one, as the function will not detect a product that is not\r\nincluded in the list of processes to search for.\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 3 of 17\n\nNew AV detection function\r\nOne interesting aspect of this new function is that it searches for products which have been discontinued for\r\nseveral years.\r\n“Prevx” - Discontinued product from Webroot\r\n“The Hacker” - Discontinued product from a Peruvian company named Hacksoft\r\n“ByteHero” - Discontinued product from ByteHero Information Security Lab, based in China\r\n“Norman Virus Control” - Discontinued software from Norman Data Defense Systems, acquired by AVG\r\nThe addition of these older products to the search may be an attempt to detect analysis machines or VMs running\r\nolder versions of Windows, such as Windows XP or 7. It is also worth noting that some of the software included in\r\nthe list originate from different regions throughout the world, indicating that this attacker is likely not targeting\r\nvictims in a specific region or country.\r\nCode removal, alteration and dead functions\r\nMany of the LodaRAT samples we analyzed have removed functionality in some way, which may be the author’s\r\nattempt to reduce detection rates. The most common removal appears to be the PowerShell keylogger typically\r\nfound in earlier versions.\r\nLodaRAT has historically contained multiple “dead” functions or commands; meaning that some component of\r\nthe code within them is non-functional. One of these dead functions is\r\n“__SQLITE_DOWNLOAD_SQLITE3DLL”, which downloads an x64 SQLite3 DLL from the official AutoIt\r\nwebsite. SQLite3 is required for LodaRAT to extract sensitive information from browser databases and to\r\nenumerate any AV processes running on the infected hosts.\r\nHowever, “__SQLITE_DOWNLOAD_SQLITE3DLL” has long been rendered non-functional due to the\r\ndownload URL returning a 404 HTTP response. Since most LodaRAT samples store an x86 SQLite3 DLL as a\r\nvariable, which can only run on x86 systems, these variants are unable to download the x64 version, precluding\r\nthe attacker from successfully executing this function on x64-based targets. Due to this broken function, the\r\nattacker must provide the required DLL through other means.\r\n“Dead” SQLite3 download function\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 4 of 17\n\nIn the same sample with the expanded AV detection\r\n(c73771b3b8c6e548724dd02e5f12380a9160323d88dbdbe12d388ade0f7bc1e2)\r\n“__SQLITE_DOWNLOAD_SQLITE3DLL” has been removed, as well as the string variable containing the x86\r\nversion, significantly reducing the size of the script by 227 KB. A side effect of this removal is that it also makes\r\nthe older AV detection function useless, as LodaRAT requires SQLite3 to enumerate running AV processes, a\r\nchange which likely led to the aforementioned rewritten AV detection function.\r\nAn interesting section of dead code that continues to persist through all versions we have analyzed is the C2\r\ncommand “QURAN”. When LodaRATreceives this command from C2, it attempts to stream audio in Windows\r\nMedia Player from a Microsoft Media Server (MMS) at the URL shown below:\r\nEmbedded MMS URL\r\nModern versions of Windows Media Player are unable to stream audio from an MMS URL, as the functionality\r\nwas deprecated in 2008. The intended capability of the “QURAN” command is to stream audio of a prayer\r\nthrough the infected hosts speakers. It is unclear why this command has persisted throughout LodaRAT’s lifetime.\r\nInfecting attached storage\r\nAnother significant change we observed is a function that specifically copies LodaRAT’s files onto every mounted\r\nremovable storage device. While older versions of LodaRAT had similar capabilities, this new function has been\r\nexpanded to automatically enumerate all connected removable drives and copy the files over to each one.Older\r\nversions were not automated and required individual commands from C2 for copying to each drive.\r\nFunction that copies files to mounted removable drives (function and variable names renamed for\r\nclarity)\r\nString obfuscation\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 5 of 17\n\nDuring our analysis, one instance of LodaRAT utilized a string encoding algorithm that differed from previous\r\nversions we have observed. This new implementation was likely employed to improve the speed of execution.\r\nHistorically, most LodaRAT samples utilize string obfuscation by encoding strings with a simple custom encoding\r\nscheme. As each string is referenced in a function, a routine at the end of the script decodes it. Generally, the\r\nalgorithm in the decoding routine was the same through all obfuscated LodaRAT samples, aside from the\r\nrandomization of the static numerical values stored in the variables.\r\nTo decode a string, the encoded text is stripped of a specific character (in the case below, the character “s” is\r\nremoved) and then XORed with the three static values. An example of one of these functions is shown below:\r\nOlder decoding function (function and variable names renamed for clarity)\r\nHowever, during analysis, we observed a variant using a different string encoding/decoding method. While it is no\r\nmore complex than the older algorithm, this new method was likely implemented to improve the speed of\r\ndecoding strings. Rather than XORing the string with three separate numerical values, it simply subtracts from it\r\nwith a single value.\r\nNew decoding function (function and variable names renamed for clarity)\r\nS500\r\nBackground\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 6 of 17\n\nDuring our research, we observed a previously undocumented VenomRAT variant named S500 (or S500RAT)\r\ndropping LodaRAT. Like VenomRAT, S500 is a .NET commodity malware with Hidden Virtual Network\r\nComputing (HVNC) capabilities, which allows the attacker to run hidden desktop environments on infected hosts.\r\nThe advertising for S500 emphasizes its ability to copy user profiles from the victim's browser over to an attacker-controlled hidden browser.\r\nInitial release of S500\r\nS500 was originally announced in the beginning of April 2022 in the seller’s Telegram channel.\r\nBut in May 2022, shortly after release, its full source code was leaked and made publicly available on Github. The\r\noriginal upload to Github has since been removed, but was re-uploaded in July 2022. After the leak, the seller\r\nattempted to sell off the S500 source code, but likely did not succeed.\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 7 of 17\n\nGithub repository for leaked S500 source code\r\nComparing the S500 source code to leaked VenomRAT source code, it is readily apparent that S500 is largely\r\ncopied from VenomRAT; however, some functionality has been removed. Most of the method and variable names\r\nwere not changed, as shown below:\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 8 of 17\n\nVenomRAT method name in S500 source code\r\nThe “repackaging” of leaked source code as a new product is typically an attempt to provide easy income to lower\r\nskilled threat actors. However, this blatant copying will most likely be viewed as stealing or plagiarism, and could\r\nbe a catalyst for retaliation from the original author or other threat actors. As such, retaliation is a likely\r\ncontributing factor for S500’s source leak.\r\nDropping LodaRAT\r\nThe S500 sample we discovered dropping LodaRAT was obfuscated and contained encrypted resources. The\r\nmethod and variable names were created with random characters from a writing system called Ge’ez, a script used\r\nby speakers of Amharic, a language native to Ethiopia.\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 9 of 17\n\nS500 method names in Ge’ez script\r\nIn the sample we analyzed, LodaRAT was stored as an encrypted resource and automatically decrypted and\r\ndropped on the infected host after execution.\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 10 of 17\n\nDecrypted LodaRAT in memory\r\nAlthough it is a stripped down version of VenomRAT, S500 can still pose a significant threat to an infected host.\r\nIts ability to copy profiles from browsers can lead to serious data and financial loss. As its source code is now\r\npublicly available, various threat actors are likely to continue using this variant in the future.\r\nRedLine and Neshta\r\nDuring our research into LodaRAT’s activities, we identified an instance of LodaRAT bundled in a single payload\r\nwith the RedLine and Neshta malware families. While it’s unclear why the threat actor is deploying LodaRAT\r\nalongside a more advanced information-stealer like RedLine, a possible explanation is that LodaRAT is preferred\r\nby the attacker for performing a particular function.\r\nWhile LodaRAT and RedLine are both geared towards remote access and data theft, Neshta, written in the\r\nBorland Delphi programming language, is primarily a file infector. Threat actors have continued to deploy Neshta\r\nsince its discovery in 2003. To proliferate on an infected host, Neshta prepends itself to executables, causing it to\r\nexecute whenever an infected file is run.\r\nInitial Neshta payload\r\nThe initial file in this infection chain was a Neshta binary with a large packed overlay appended to the end of the\r\nfile. The overlay contained both the RedLine and LodaRAT payloads, and as shown in the image below, 95.47%\r\npercent of the executable was the overlay.\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 11 of 17\n\nOverlay containing RedLine and LodaRAT\r\nOnce executed, Neshta begins to infect executable files throughout the system, and drops the second stage\r\ncontained in the overlay. The overlay is unpacked and stored as a file labeled “JQZEKD.exe,” which is internally\r\nnamed “Implosions.exe” in its Version Info metadata. This file is then placed in the directory\r\n“\\Users\\Administrator\\AppData\\Local\\Temp\\”, copied to the directory “C:\\Users\\psykotorhsrat2\\Desktop\\relise”,\r\nand renamed “Winupdate.exe”.\r\nOnce dropped, it is revealed that this second stage is also packed, but in this case using a custom implementation\r\nof Ultimate Packer for Executables (UPX). As an anti-unpacking measure, the typical section names created by\r\nUPX (UPX0, UPX1 etc.) were renamed to “aHc” and “Security,” therefore preventing automated unpacking.\r\nPEiD detecting UPX\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 12 of 17\n\nRenamed sections within secondary payload\r\nAs stated above, both the Redline and LodaRAT payloads are stored within the binary, with RedLine stored in the\r\nsection “Security” and LodaRAT appended to the end of the binary as an overlay in a similar manner as the initial\r\nstage. The “aHc” section is empty and is eventually filled by the unpacked RedLine payload. Once executed, the\r\nLodaRAT and RedLine binaries are subsequently unpacked and executed.\r\nOverlay containing LodaRAT AU3 script\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 13 of 17\n\nAs shown below, the Redline payload is internally labeled “Happy.exe”, and\r\ndoes not utilize any anti-analysis techniques. Due to the lack of any string obfuscation, the C2 address\r\n“34[.]174[.]95[.]150:54865” is stored as plain text within the method “EntryPoint”. As in most implementations of\r\nRedLine, the strings in this method are encrypted.\r\nRedLine methods\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 14 of 17\n\nEntryPoint() method containing C2 address\r\nAside from the historically unusual association with LodaRAT, the behavior of RedLine and Neshta in this case\r\nwas typical of their kind. The combination of RedLine, LodaRAT and Neshta all in the same binary is relatively\r\naggressive. The lack of evasion techniques and the minimal use of obfuscation shows that this threat actor is not\r\nconcerned with remaining undetected. This aggressive posture is indicative of a “smash and grab” style campaign.\r\nWhile this tactic is more likely to be detected by security products and analysts, it can still pose a serious threat, as\r\nthe threat actor is not concerned with the possible impact or damage they may inflict. The malware used in this\r\ninfection chain can provide a strong foothold for the threat actor in the event an attack is successful.\r\nOutlook\r\nOver the course of LodaRAT’s lifetime, the implant has gone through numerous changes and continues to evolve.\r\nWhile some of these changes appear to be purely for an increase in speed and efficiency, or reduction in file size,\r\nsome changes make Loda a more capable malware. As it grows in popularity, it is reasonable to expect additional\r\nalterations in future. The ease of access to its source code makes LodaRAT an attractive tool for any threat actor\r\nwho is interested in its capabilities.\r\nDepending on the skill of the threat actors attempting LodaRAT customization, we are likely to see more complex\r\nand advanced variants in the wild. In conjunction with the appearance of new variants, it is expected that\r\nLodaRAT will continue to be dropped alongside other malware families. Being readily available and easy to\r\ncustomize, it has become an attractive tool for some attackers.\r\nAdditionally, with the rise of LodaRAT’s presence in the threat landscape, we may also see new malware from\r\nKasablanka, the original malware author. As their tool becomes more popular, detection rates are likely to\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 15 of 17\n\nincrease, thereby reducing LodaRAT’s effectiveness. As such, Kasablanka may opt for a new tool altogether.\r\nAs always, Cisco Talos will continue to monitor and provide coverage for these future changes and variants.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat are\r\nThe following Snort SIDs are applicable to this threat: 53031.\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 16 of 17\n\nThe following ClamAV signatures are applicable to this threat:\r\nTxt.Malware.LodaRAT-9769386-0\r\nWin.Malware.Bulz-9880537-0\r\nWin.Trojan.Neshuta-1\r\nWin.Malware.Zbot-9977624-0\r\nIOCs\r\nIOCs for this research can be found in our GitHub repository here. \r\nSHA256 File Hashes:\r\nLodaRAT: ac3c94d88bcd4833d6fc5ffde7379f90a8915863567990572f2fa0d7fe83d0da\r\nLodaRAT: e6bf1b38f9d4b2a2aeb00dc4c12dd22eff26c318665687b4653fe8269d39d878\r\nS500 + LodaRAT: c73771b3b8c6e548724dd02e5f12380a9160323d88dbdbe12d388ade0f7bc1e2\r\nNeshta + LodaRAT + RedLine: cd6a8e6b17a1ecb5aafb24ef4f7ec0ba0be44508ea10dbde551e0037220571f8\r\nRedline: 50e2444e832e4c3ed711fcf27c038967c2c5f5037a4e0ea2cc6d53ef6ac54cfb\r\nDomains:\r\ncatkiller7767-64721[.]portmap[.]io\r\njudithabusufaitdyg[.]duckdns[.]org\r\nIPs:\r\n193[.]161[.]193[.]99\r\n34[.]174[.]95[.]150:54865\r\nSource: https://blog.talosintelligence.com/get-a-loda-this/\r\nhttps://blog.talosintelligence.com/get-a-loda-this/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/get-a-loda-this/"
	],
	"report_names": [
		"get-a-loda-this"
	],
	"threat_actors": [
		{
			"id": "d4135989-e577-4133-bdae-a24243c832a4",
			"created_at": "2023-11-05T02:00:08.068657Z",
			"updated_at": "2026-04-10T02:00:03.396218Z",
			"deleted_at": null,
			"main_name": "Kasablanka",
			"aliases": [],
			"source_name": "MISPGALAXY:Kasablanka",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434045,
	"ts_updated_at": 1775791527,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0dff41a85be2cd0c63fcb9e09c3a235d2e4a45ca.pdf",
		"text": "https://archive.orkl.eu/0dff41a85be2cd0c63fcb9e09c3a235d2e4a45ca.txt",
		"img": "https://archive.orkl.eu/0dff41a85be2cd0c63fcb9e09c3a235d2e4a45ca.jpg"
	}
}