{ "id": "04563165-a656-4f28-8ab7-a220c3d6cf23", "created_at": "2026-04-06T00:11:01.941518Z", "updated_at": "2026-04-10T13:11:24.259894Z", "deleted_at": null, "sha1_hash": "4d85011aac39ac796e5032eec23167c5cfddca1d", "title": "Lojack Becomes a Double-Agent | NETSCOUT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 417386, "plain_text": "Lojack Becomes a Double-Agent | NETSCOUT\r\nArchived: 2026-04-05 18:20:04 UTC\r\nExecutive Summary\r\nASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected\r\nFancy Bear (a.k.a. APT28, Pawn Storm) domains.  The InfoSec community and the U.S. government have both\r\nattributed Fancy Bear activity to Russian espionage activity.  Fancy Bear actors typically choose geopolitical\r\ntargets, such as governments and international organizations. They also target industries that do business with such\r\norganizations, such as defense contractors.  Lojack, formally known as Computrace, is a legitimate laptop\r\nrecovery solution used by a number of companies to protect their assets should they be stolen.  Lojack makes an\r\nexcellent double-agent due to appearing as legit software while natively allowing remote code execution.\r\nAlthough the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to\r\ndeliver payloads.   NOTE: Arbor APS enterprise security products detect and block on all activity noted in this\r\nreport.\r\nKey Findings\r\nASERT researchers identified Lojack agents containing command and control (C2) domains likely\r\nassociated with Fancy Bear operations.\r\nProof of concept in using Lojack as a backdoor or intrusion vector date back to 2014. Its continued use\r\nsuggest attackers could have used it in long-running operations.\r\nInitially, the Lojack agents containing rogue C2 had low Anti-Virus (AV) detection which increased the\r\nprobability of infection and subsequent successful C2 communication.\r\nThe distribution mechanism for the malicious Lojack samples remains unknown. However, Fancy Bear\r\ncommonly uses phishing to deliver malware payloads as seen with Sedupload in late 2017.\r\nUPDATE\r\nMay 3, 2018 – After the disclosure of the malicious Lojack binaries, many Anti-Virus vendors have\r\nbeen quick to respond in properly marking samples as \"malware\" and \"DoubleAgent\", rather than\r\n\"Riskware\" or \"unsafe\" (Figure 2).\r\nMay 4th 2018 – UPDATE FROM ABSOLUTE SOFTWARE:\r\n\"The analysis of the samples provided by Arbor shows all were based on an illicitly modified\r\nold version of the LoJack agent from 2008 and no customers or partners have been\r\nimpacted. For customers who wish to confirm no legacy agents are present in their\r\nenvironment, we have published an advisory with steps to verify all installed agents are\r\nlegitimate copies of the LoJack product. \r\nMay 9th 2018 – Disclaimer:\r\nPrior reports have misidentified LoJack instead of Absolute LoJack for Laptops, also known\r\nas Computrace. LoJack for Laptops and Computrace are products of Absolute, not LoJack or\r\nhttps://asert.arbornetworks.com/lojack-becomes-a-double-agent/\r\nPage 1 of 7\n\nCalAmp.\r\nLojack Summary\r\nAbsolute Software, the creator of Lojack, says on its website (https://www.absolutelojack.com/) that the agent can\r\nlocate and lock a device remotely.  Additionally, it can delete files, making it an effective laptop theft recovery and\r\ndata wiping platform.  Lojack can survive hard drive replacements and operating system (OS) re-imaging.  The\r\nagent achieves this persistence through a modular design as noted by Vitaliy Kamlyuk, Sergey Belov, and Anibal\r\nSacco in a presentation at Blackhat, 2014 (Figure 1):\r\n Figure 1:\r\nLojack persistence mechanism (Paraphrased from https://www.blackhat.com/docs/us-14/materials/us-14-Kamluk-Computrace-B…).\r\nThe aforementioned researchers suggest the binary modification of the \"small agent\" is trivial.  The Lojack agent\r\nprotects the hardcoded C2 URL using a single byte XOR key; however, according to researchers it blindly trusts\r\nthe configuration content.  Once an attacker properly modifies this value then the double-agent is ready to go. \r\nThis is not the only aspect that makes Lojack an appealing target.  Attackers are also concerned about AV\r\ndetection.  Looking on VirusTotal, some anti-virus vendors flag Lojack executables as ”unsafe”, but as noted as of\r\nMay 3, many AV now flag the binaries as malware and DoubleAgent (Figure 2).\r\nhttps://asert.arbornetworks.com/lojack-becomes-a-double-agent/\r\nPage 2 of 7\n\nFigure 2: Virustotal AV Report of cf45ec807321d12f8df35fa434591460\r\nOriginally, the low AV detection, allowed the attacker to hide in plain sight, an effective double-agent. The\r\nattacker simply needs to stand up a rogue C2 server that simulates the Lojack communication protocols. Finally,\r\nLojack’s “small agent” allows for memory reads and writes which grant it remote backdoor functionality when\r\ncoupled with a rogue C2 server.\r\nLojack Double-Agent\r\nASERT has identified five Lojack agents (rpcnetp.exe) pointing to 4 different suspected domains.  Fancy Bear has\r\nbeen tied to three of the domains in the past.\r\nHash Compilation Time\r\nSize in\r\nBytes\r\nRogue C2 Servers\r\nAV Detection on\r\nVT\r\nf1df1a795eb784f7bfc3ba9a7e3b00ac\r\n2008-04-01\r\n19:35:07\r\n17,408 sysanalyticweb[.]com 2/67\r\n6eaa1ff5f33df3169c209f98cc5012d0\r\n2008-04-01\r\n19:35:07\r\n17,408 sysanalyticweb[.]com 4/66\r\nf3c6e16f0dd2b0e55a7dad365c3877d4\r\n2008-04-01\r\n19:35:07\r\n17,408 elaxo[.]org 3/62\r\ncf45ec807321d12f8df35fa434591460\r\n2008-04-01\r\n19:35:07\r\n17,408 ikmtrust[.]com 2/64\r\nhttps://asert.arbornetworks.com/lojack-becomes-a-double-agent/\r\nPage 3 of 7\n\nf391556d9f89499fa8ee757cb3472710\r\n2008-04-01\r\n19:35:07\r\n17,408 lxwo[.]org 9/65\r\nTable 1: Lojack Double-Agents on VirusTotal  \r\nBinary Comparisons\r\nASERT believes all these binaries are rpcnetp.exe (small agent) due to the following characteristics:\r\nSize matching: 17,408 bytes\r\nYara match on either:\r\n“TagId” and “rpcnetp.exe”\r\nSet of op codes\r\nMatching export function “rpcnetp” in the binaries.\r\nAfter confirming the stage of the Lojack agent, binary comparison analysis confirmed that they were legitimate\r\nLojack samples.  The comparison also highlighted that the attacker did not graft additional functionality into the\r\nbinary.  ASERT used the presence of search.namequery[.]com in the binary and the yara rule to identify legitimate\r\nLojack samples.  Lojack’s Absolute Software Corp. owns search.namequery[.]com; we have no evidence the\r\nlegitimate site has been used for nefarious purposes. NOTE: All samples, both rogue and the two “clean” samples\r\n(below), matched 100% based on Diaphora’s function matching algorithm. “Clean” Samples:\r\n1. e78e3b0171b189074d2539c7baaa0719\r\n2. ac1a85d3ca1b6265cad4ed41b696f9b7\r\nOnly the presence of the rogue C2's make the samples in Table1 malicious. The attackers are merely hijacking the\r\ncommunication used by Lojack, thereby granting themselves backdoor access to machines running the software.\r\nFancy Bear Attribution\r\nASERT assesses with moderate confidence that the rogue Lojack agents are attributed to Fancy Bear based on\r\nshared infrastructure with previous operations. The following domains, extracted from the rogue Lojack agents\r\ntrace back to Fancy Bear operations:\r\n1. elaxo[.]org\r\n2. ikmtrust[.]com\r\n3. lxwo[.]org\r\n4. sysanalyticweb[.]com (Figure 3 \u0026 Figure 4)\r\nResearchers from Jigsaw Security, based on leads from Talos in late 2017, traced the domains elaxo[.]org and\r\nikmtrust[.]com and the tool Sedupload, to a Fancy Bear operation.  The domain lxwo[.]org appeared in a blog post\r\nfrom Threat Intel Recon that resolved to an IP address within a document attributed to Fancy Bear.  The rogue\r\nLojack samples containing the sysanalyticweb[.]com domains were only recently spotted in the wild (April 2018).\r\nDespite the hijack of this software being a publicly known tactic, there are many similarities in the binary\r\ncomparisons (above) and infrastructure analysis (below) that increase the probability it is the same actor(s):\r\nhttps://asert.arbornetworks.com/lojack-becomes-a-double-agent/\r\nPage 4 of 7\n\nAll the listed domains are associated with the same Lojack agent utilizing the same compile time.\r\nThe domains in question all contain nonsensical Registrant information where the actor tends to copy/paste\r\nthe same information in multiple fields.\r\nEach domain includes a Registrant Name (often a nonsensical word), but additionally includes a similar\r\nword in the Registrant Organization field.\r\nThis is interesting because that is a field that is often skipped when a Registrant Name is present,\r\nbut this actor(s) regularly utilizes both fields\r\nFigure 3. XORed C2 Server - NETSCOUT\r\nhttps://asert.arbornetworks.com/lojack-becomes-a-double-agent/\r\nPage 5 of 7\n\nFigure 4. Live (April 2018) C2 - NETSCOUT\r\nConclusion \u0026 Recommendations\r\nHijacking legitimate software is a common enough tactic for malicious actors. A key factor making this activity so\r\ndevious is the malicious Lojack samples were simply labeled \"unsafe”, \"suspicious\", or \"DangerousObject\", rather\r\nthan malware. As a result, rogue Lojack samples could fly under the radar and give attackers a stealthy backdoor\r\ninto victim systems. ASERT recommends scanning for rogue Lojack agents using the Yara signature listed in the\r\nAppendix (below) and blocking the domains contained within this blog.  \r\nAppendix: Yara Signature\r\nrule ComputraceAgent\r\n{\r\nmeta:\r\n description = \"Absolute Computrace Agent Executable\"\r\n thread_level = 3\r\n in_the_wild = true\r\nstrings:\r\n $a = {D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04}\r\n $mz = {4d 5a}\r\n $b1 = {72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00}\r\n $b2 = {54 61 67 49 64 00}\r\nhttps://asert.arbornetworks.com/lojack-becomes-a-double-agent/\r\nPage 6 of 7\n\ncondition:\r\n($mz at 0 ) and ($a or ($b1 and $b2))\r\n}\r\nCode Snippet 1: Yara signature to detect computrace/Lojack agent (Retrieved from https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Comp…)\r\nSource: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/\r\nhttps://asert.arbornetworks.com/lojack-becomes-a-double-agent/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/" ], "report_names": [ "lojack-becomes-a-double-agent" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434261, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d85011aac39ac796e5032eec23167c5cfddca1d.pdf", "text": "https://archive.orkl.eu/4d85011aac39ac796e5032eec23167c5cfddca1d.txt", "img": "https://archive.orkl.eu/4d85011aac39ac796e5032eec23167c5cfddca1d.jpg" } }