{
	"id": "12109fe3-5ba3-4eb0-a1c7-2bc629e0f8d7",
	"created_at": "2026-04-06T00:11:16.801828Z",
	"updated_at": "2026-04-10T03:31:13.781454Z",
	"deleted_at": null,
	"sha1_hash": "284e5482f95e7ccc36fc4a07db765114c62e03f8",
	"title": "New Loki Variant Being Spread via PDF File",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2091252,
	"plain_text": "New Loki Variant Being Spread via PDF File\r\nBy Xiaopeng Zhang and Hua Liu\r\nPublished: 2017-05-17 · Archived: 2026-04-05 20:42:48 UTC\r\nBackground\r\nThe Loki Bot has been observed for years. As you may know, it is designed to steal credentials from installed\r\nsoftware on a victim’s machine, such as email clients, browsers, FTP clients, file management clients, and so on.\r\nFortiGuard Labs recently captured a PDF sample that is used to spread a new Loki variant. In this blog, we will\r\nanalyze how this new variant works and what it steals.\r\nThe PDF sample\r\nhttps://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nPage 1 of 10\n\nFigure 1. Content of the PDF sample\r\nThe PDF sample only contains one page, shown above, which includes some social engineering content to entice\r\nusers to download and run the malware.\r\nFigure 2. Objects inside the PDF sample\r\nAccording to the sample content (Figure 2), an annotation object in the sample includes an URI action, where the\r\nmalware is downloaded.\r\nAdd itself to Startup folder\r\nWhen this malware is executed the very first time, it copies itself to “%AppData%\\subfolder”, and renames it as\r\n“citrio.exe” in my test enviroment. It then creates a VBS file which can start “citrio.exe”. Figure 3 shows its code.\r\nThe VBS file is added into the system Start Menu so it can automatically run whenever the system starts. After all\r\nthese actions are complete, “citrio.exe” is started.\r\nhttps://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nPage 2 of 10\n\nFigure 3. The VBS file in Startup with its code\r\nHow the new Loki variant works\r\nAll the APIs being called in this malware are hidden, which will be restored before calling. This increases the\r\ndifficulty for researchers to analyze it. Figure 4 shows an example. After calling the sub_4031E5 function with the\r\nhash(C5FA88F1h) and DLL number (0Ah), eax points to the API \"CommandLineToArgvW\".\r\nFigure 4. Restoring the hidden API\r\nThe author of the malware has written a number of functions for stealing credentials from a victim’s machine.\r\n There is an array that is used to store the function pointers. Figure 5 shows part of the function pointers.\r\nhttps://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nPage 3 of 10\n\nFigure 5. Array with function pointers\r\nAs you may have noticed, I added the comment behind each function to show you which software it steals\r\ncredentials from. The malware calls those functions one by one in a loop. Here is the list of most of the software\r\nwhose credentials can be stolen.\r\nBrowser software:\r\nhttps://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nPage 4 of 10\n\nMozilla Firefox, IceDragon, Safari, K-Meleon, Mozilla SeaMonkey, Mozilla Flock, NETGATE Black Hawk,\r\nLunascape, Comodo Dragon, Opera Next, QtWeb, QupZilla, Internet Explorer, Opera, 8pecxstudios, Mozilla Pale\r\nMoon, Mozilla Waterfox.\r\nIM software:\r\nPidgin.\r\nFTP software:\r\nFTPShell, NppFTP, oZone3D MyFTP, FTPBox, sherrod FTP, FTP Now, NetSarang xftp, EasyFTP, SftpNetDrive,\r\nAbleFTP, JaSFtp, Automize, Cyberduck, FTPInfo, LinasFTP, FileZilla, Staff-FTP, BlazeFtp, FTPGetter, WSFTP,\r\nGoFTP, Estsoft ALFTP, DeluxeFTP, Fastream NETFile, ExpanDrive, Steed, FlashFXP, NovaFTP, NetDrive,\r\nSmartFTP, UltraFXP, FTP Now, FreshFTP, BitKinex, Odin Secure FTP Expert, NCH Software Fling, NCH\r\nSoftware ClassicFTP, WinFtp Client, WinSCP, 32BitFtp, FTP Navigator.\r\nGame software:\r\nFull Tilt Poker, PokerStars.\r\nFile manager software:\r\nNexusFile, FullSync, FAR Manager, Syncovery, VanDyke SecureFX, Mikrotik Winbox.\r\nSSH/VNC client software:\r\nSuperPutty, Bitvise BvSshClient, VNC, KiTTY.\r\nPassword manager software:\r\nmSecure, KeePass, EnPass, RoboForm, 1Password.\r\nEmail client software:\r\nMozilla Thunderbird, foxmail, Pocomail, IncrediMail, Gmail Notifier Pro, DeskSoft CheckMail, Softwarenetz\r\nMailing, Opera Mail, Postbox  email, Mozilla FossaMail, Internet Mail, MS Office Outlook, WinChips, yMail2,\r\nFlaska.net Trojita, TrulyMail.\r\nNotes/Todo list software:\r\nTo-Do DeskList, Stickies, NoteFly, Conceptworld Notezilla, Microsoft StickyNotes.\r\nStealing Microsoft Outlook Credentials and Stickies Pictures\r\nFrom the above analysis, it is clear that this new Loki variant is capable of stealing credentials from more than 100\r\ndifferent software tools (if installed.) In this section, we are going to present how it steals the credentials of\r\nMicrosoft Outlook and pictures from Stickies.\r\nhttps://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nPage 5 of 10\n\nTo do this, It goes through three sub-keys (for three different versions) in the system registry to get saved email\r\naccounts, email addresses, username, password, SMTP, POP3, IMAP related information, and so on.\r\nThe three sub-keys are:\r\nFigure 6. Microsoft Outlook saves credentials in the registry\r\nhttps://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nPage 6 of 10\n\nFigure 7. Copying sub-key “POP3 Password”\r\nWhat you can see in the above figures are the Outlook credentials in the system registry of my test enviroment.\r\nThe malware is able to read them from here by calling the API “SHQueryValueExW”. All stolen information is\r\nstored in a global buffer.  See Figure 8.\r\nhttps://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nPage 7 of 10\n\nFigure 8. Stolen Outlook credentials in global buffer\r\nFor the Stickies attack, since I didn’t have that software installed I simply modified my test machine to simulate\r\nthat it was installed. Here we go.\r\nFigure 9 shows part of the code for Stickies. It gets the strings “*.png”, “*.rtf”, “%s\\stickies\\images” dynamically\r\ncreated before using. The malware steals png and rtf files from the sub-folders “\\stickies\\images” and\r\n“\\stickies\\rtf” in several system directories, such as %AppData%, %UserProfile%.\r\nFigure 9. Code snippet for Stickies\r\nhttps://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nPage 8 of 10\n\nI created a sub-folder “%AppData%\\stickies\\images” and put a .png file into it. Loki reads the png file into that\r\nglobal buffer behind the Outlook data. It also collects system information from the victim’s machine, such as\r\ncomputer name, user name, processor property, etc. After all collected information is ready, it sends them to its\r\nC\u0026C server using a HTTP POST request, the body of which is the data stolen from the victim’s machine. And the\r\ndata is delivered in a kind of compression format. Figure 10 shows a screenshot of the packet in WireShark.\r\nFigure 10. Send the data stolen from Outlook and Stickies to the C\u0026C server\r\nSolution\r\nThe URL “194.88.105.202/~ninjagro/pdfs/QUOTATION.exe” has been rated as Malicious Websites and “online-prodaja.rs/tz/Panel/five/fre.php” as Phishing by the FortiGuard Webfilter service.\r\nThe downloaded exe file has been detected as W32/Injector.DONO!tr and the PDF file as\r\nData/Loki_Phish.A!tr by the FortiGuard Antivirus service.\r\nIoC\r\nURL:\r\n\"194.88.105.202/~ninjagro/pdfs/QUOTATION.exe\"\r\nhttps://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nPage 9 of 10\n\n\"online-prodaja.rs/tz/Panel/five/fre.php\"\r\nSample SHA256:\r\nQUOTATION (1).pdf\r\nE71379A53045385C4AC32E5BE75A04E3D2A9FC7B707FB4478CE90FE689F66D19\r\nQUOTATION.exe\r\nFA417E0B42362C40301750809DF9F0C9BDBF333269F50F74832D4F471358AAED\r\nSource: https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nhttps://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file"
	],
	"report_names": [
		"new-loki-variant-being-spread-via-pdf-file"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434276,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/284e5482f95e7ccc36fc4a07db765114c62e03f8.pdf",
		"text": "https://archive.orkl.eu/284e5482f95e7ccc36fc4a07db765114c62e03f8.txt",
		"img": "https://archive.orkl.eu/284e5482f95e7ccc36fc4a07db765114c62e03f8.jpg"
	}
}