{ "id": "01290194-205e-40f5-a74c-a78a4d56a403", "created_at": "2026-04-06T00:17:50.026417Z", "updated_at": "2026-04-10T03:36:48.014643Z", "deleted_at": null, "sha1_hash": "6582fcc8c2821bb4a6b6ee73784bed810f37cf96", "title": "LokiBot – Phishing Malware Baseline", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 292200, "plain_text": "LokiBot – Phishing Malware Baseline\r\nArchived: 2026-04-05 18:41:20 UTC\r\nBy Madalynn Carr Report \r\nLokiBot is an Information Stealer with expanding capabilities depending on the threat actor. This malware family\r\nwas originally written in C++ and targets Windows devices. LokiBot was first advertised in 2015 on underground\r\nmarkets in Eastern Europe, however it was not common to see it in the wild until 2018. Since then, LokiBot has\r\nremained in the top five malware families delivered through phishing emails.\r\nHistory\r\nLokiBot first surfaced in March of 2015 on underground hacking forums by a hacker with an alias of “lokistov”,\r\nwho is also known as “Carter”. This can be seen in Figure 1, where LokiBot was originally posted on an\r\nunderground form. LokiBot was originally advertised as a “Resident Loader and Password and CryptoCoin-wallet\r\nstealer.” It is assumed that lokistov is from a non-English speaking country, specifically an ex-USSR country.\r\nLokiBot was being sold for upwards of $450 USD or $540 USD in the current economy this report was written,\r\ndepending on whether the buyer wanted the stealer or the loader, as well as other add-ons such as a change in the\r\nC2 (Command and Control) IP address. After release, every week lokistov would publish an update until 2017,\r\nwhen lokistov released LokiBot V2. Since then, they have not updated the forums for LokiBot V1. Shortly after,\r\nthe LokiBot source code was leaked around 2018 and is now being sold on forums for as low as $80 USD. There\r\nare two theories of how this happened. One is that somebody reversed the original LokiBot and gathered the\r\nsource code, then published the cracked version of the malware. The other theory is that lokistov got hacked\r\nthemselves, and the hacker published the stolen version.\r\nFigure 1: Original Posting of LokiBot by Lokistov. \r\nLokiBot became a popular malware choice for threat actors due to the low price and ease of use. Since then,\r\nlokistov has released LokiBot 2.0 and is currently selling it on underground forums. This newer version of the\r\nInformation Stealer includes more evasive techniques and expands further into Keylogger, Remote Access Trojan\r\n(RAT), and even ransomware attributes.\r\nNotable Uses\r\nhttps://cofense.com/blog/lokibot-phishing-malware-baseline/\r\nPage 1 of 6\n\nDue to LokiBot being around for a while, there have been a sizeable number of media pieces revolving around\r\nLokiBot, however none of them revolve around the campaigns that APT (Advanced Persistence Threat) groups are\r\nusing this malware to conduct. The most recent use was in February of 2020, where LokiBot impersonated a\r\nFortnite launcher, which was one of the most popular video games at the time. Since LokiBot is simple, adaptable\r\nand easily accessible, this malware has remained in the top 5 malware families seen at Cofense since 2019. During\r\n2019 and 2020, LokiBot was a high competitor for the top malware family seen, constantly switching places with\r\nthe ever-popular Agent Tesla.\r\nCapabilities\r\nAlthough LokiBot originated as an Information Stealer, it has been cracked and edited several times. LokiBot can\r\nhave RAT or keylogger capabilities. However, the majority of LokiBot seen in the wild only demonstrates\r\nInformation Stealer capabilities. LokiBot is capable of stealing credentials from over 100 different clients,\r\nincluding but not limited to:\r\nEmail Clients\r\nFTP Clients\r\nVNC Clients\r\nHTTP Browsers\r\nPassword Managers\r\nIM Clients\r\nSpecific examples of what these applications are can be found in Table 1, however the list is not limited to just\r\nthese specific applications.\r\nMozilla Firefox Internet Explorer Google Chrome K-Meleon Comodo Dragon\r\nSeaMonkey Safari CoolNovo Opera Chromium\r\nTitan Browser Yandex Browser Superbird Browser Chrome Canary Waterfox\r\nFlash FXP Nexus File JaSFtp Syncovery Remmia RDP\r\nFileZila CyberDuck NovaFTP FTPShell NETFile\r\nmSecure Wallet Fling KiTTY PuTTY WinSCP\r\nOutlook Mozilla Thunderbird Pocomail Gmail Notifier Pro yMail\r\nPidgin AI RoboForm KeePass EnPass 1Password\r\nTable 1: List of examples that LokiBot has the capability to steal from. \r\nIn the Wild\r\nLokiBot has always been seen at Cofense as one of the most popular malware families used by threat actors. Due\r\nto its simplistic nature and usage, low-skill threat actors can use LokiBot for a variety of malicious purposes. In\r\nhttps://cofense.com/blog/lokibot-phishing-malware-baseline/\r\nPage 2 of 6\n\n2019 up until around 2021, LokiBot would often be the most common malware family, followed by Agent Tesla\r\nKeylogger. At the time of this report, other malware families have appeared more often, and therefore pushed\r\nLokiBot down in the rankings. However, LokiBot is still in the top five malware families seen at Cofense. Figure\r\n2 shows the percentage of LokiBot malware seen among other malware families in our Active Threat Reports\r\n(ATR), and although there was a small dip over the past year and a half, LokiBot has remained around eight\r\npercent of all malware seen each month.          \r\nFigure 2: Loki Bot’s relative value seen at Cofense between January 2022 and July 2023. \r\nDelivery Mechanisms\r\nLokiBot is often seen by itself when it is delivered via email, however, as can be seen in Figure 2, there is still\r\nquite a large amount of LokiBot that is accompanied by a delivery mechanism. Out of the delivery mechanisms\r\nseen by Cofense, an overwhelming 82% of LokiBot accompanied by a delivery mechanism is delivered by CVE-2017-11882. However, out of all the LokiBot samples seen by Cofense, over half of the LokiBots are seen\r\ndelivered as a direct attachment.\r\nhttps://cofense.com/blog/lokibot-phishing-malware-baseline/\r\nPage 3 of 6\n\nFigure 3: Delivery Mechanisms used to deliver Loki Bot between January 2022 and July 2023. \r\nVery rarely will LokiBot be delivered via embedded URLs or other forms of delivery mechanisms except for\r\nCVE-2017-11882, such as Visual Basic Scripts (VBS) or Windows Shortcut File (LNK), as just over one percent\r\nof LokiBot samples were seen to be delivered via both delivery mechanisms combined between January 2022 to\r\nJuly 2023.\r\nBehavior\r\nLokiBot has a very straightforward and simplistic way of behaving. Once LokiBot has been downloaded and run,\r\nLokiBot will unpack itself onto the system. From there, this malware will start collecting sensitive information\r\nfrom each of the programs it supports gathering information from. Once LokiBot has exhausted all the possible\r\napplications that can give the sensitive data, as well as any extra additions such as keystroke logging, it will create\r\na customized HTTP packet and send it to the C2, as seen in Figure 4. As LokiBot is gathering the information into\r\nan HTTP packet, some versions of LokiBot will start to maintain persistence, while others may continue to run\r\nand occasionally connect in case any new credentials are stored on the machine.\r\nhttps://cofense.com/blog/lokibot-phishing-malware-baseline/\r\nPage 4 of 6\n\nFigure 4: Example of an HTTP POST request from a computer infected with LokiBot. \r\nThis specific link is the final destination, where the information is presented to the threat actor. If one were to visit\r\nthe page, they would be greeted with a captcha as well as a login page as seen in Figure 5.\r\nFigure 5: Example of a LokiBot C2 Authentication Panel. \r\nDetection and Hunting\r\nLokiBot heavily depends on connecting to its C2, and therefore makes detection generally easy to spot. Due to the\r\nlow volume of embedded URLs delivering LokiBot, the primary way to prevent LokiBot from being installed on a\r\nsystem is to not allow unknown downloads from suspicious emails. Most anti-virus software is good at catching\r\nLokiBot due to its simplicity, but there are also other ways to spot if LokiBot is already installed on a system.\r\nUser Agent\r\nLokiBot can also be identified by a specific string found in the application as well as the network traffic. LokiBot\r\nwill always use the User Agent “Mozilla/4.08 (Charon; Inferno)” to connect to its C2s, as seen in Figure 4.\r\nNetwork Traffic\r\nAs previously mentioned, LokiBot will use the User Agent “Mozilla/4.08 (Charon; Inferno)” to post the\r\ncredentials to its C2 Panel. LokiBot primarily only uses HTTP to communicate to its C2. There are a variety of\r\nways the URL can be formatted, but the file that the link is accessing is typically followed by a PHP panel or ends\r\nwith a “p=” followed by a unique set of numbers to differentiate the systems that LokiBot has infected. An\r\nexample of this that Cofense has previously reported is: “hxxp[://]216[.]128[.]145[.]196/~wellseconds/?p=” A\r\nmore common example is the other IOC mentioned, which is the PHP panel whose URL looks similar to:\r\n“hxxp[://]194[.]55[.]224[.]9/fresh1/five/fre[.]php”.\r\nfre.php gate.php aaaj.php nimda.php ight.php crkk.php\r\nfree.php wish.php base.php fred.php mono.php mime.php\r\nhttps://cofense.com/blog/lokibot-phishing-malware-baseline/\r\nPage 5 of 6\n\nTable 3: Examples of PHP Panels that have been seen as a C2 for Loki Bot. \r\nThe examples listed in Table 3 are not an exhaustive list of all panel PHPs as LokiBot can change the name of the\r\nPHP panel. However, the majority of LokiBot will use “fre.php” when connecting to its host.\r\nSource: https://cofense.com/blog/lokibot-phishing-malware-baseline/\r\nhttps://cofense.com/blog/lokibot-phishing-malware-baseline/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://cofense.com/blog/lokibot-phishing-malware-baseline/" ], "report_names": [ "lokibot-phishing-malware-baseline" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434670, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6582fcc8c2821bb4a6b6ee73784bed810f37cf96.pdf", "text": "https://archive.orkl.eu/6582fcc8c2821bb4a6b6ee73784bed810f37cf96.txt", "img": "https://archive.orkl.eu/6582fcc8c2821bb4a6b6ee73784bed810f37cf96.jpg" } }