{ "id": "e34cba0c-77f5-48d8-8cef-9ff20569d2da", "created_at": "2026-04-06T00:18:15.167092Z", "updated_at": "2026-04-10T03:34:00.987925Z", "deleted_at": null, "sha1_hash": "8549019a207798c84be83d3adb7c53e99ceeb82a", "title": "LokiBot (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50703, "plain_text": "LokiBot (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:51:08 UTC\r\napk.lokibot (Back to overview)\r\nLokiBot\r\nAndroid banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features\r\nransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.\r\nReferences\r\n2024-04-15 ⋅ Positive Technologies ⋅ Aleksandr Badaev, Kseniya Naumova\r\nSteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world\r\nLokiBot 404 Keylogger Agent Tesla CloudEyE Formbook Remcos XWorm\r\n2024-03-27 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nUncovering Malicious Infrastructure with DNS Pivoting\r\nLokiBot XWorm\r\n2023-08-03 ⋅ Kaspersky ⋅ Kaspersky\r\nWhat’s happening in the world of crimeware: Emotet, DarkGate and LokiBot\r\nLokiBot DarkGate Emotet\r\n2022-07-25 ⋅ muha2xmad ⋅ Muhammad Hasan Ali\r\nPDF Analysis of Lokibot malware\r\nLokiBot\r\n2022-06-29 ⋅ Github (vc0RExor) ⋅ Aaron Jornet Sales\r\nMachete Weapons Lokibot - A Malware Report\r\nLokiBot\r\n2021-06-10 ⋅ ZAYOTEM ⋅ Bilal BAKARTEPE, Harun YAKUT, Sinan BAYKAN, Taha HİCRET\r\nLokiBot Technical Analysis Report\r\nLokiBot\r\n2020-07-14 ⋅ SophosLabs Uncut ⋅ Markel Picado, Sean Gallagher\r\nRATicate upgrades “RATs as a Service” attacks with commercial “crypter”\r\nLokiBot BetaBot CloudEyE NetWire RC\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot\r\nPage 1 of 2\n\n2020-01-27 ⋅ Yoroi ⋅ Luca Mella, Luigi Martire\r\nAggah: How to run a botnet without renting a Server (for more than a year)\r\nLokiBot Azorult\r\n2017-10-01 ⋅ Threat Fabric ⋅ Niels Croese, Pham Duy Phuc, Wesley Gahr\r\nLokiBot - The first hybrid Android malware\r\nLokiBot\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot" ], "report_names": [ "apk.lokibot" ], "threat_actors": [ { "id": "d303c77e-0110-471b-a3a6-37fce9ac848d", "created_at": "2022-10-25T15:50:23.342452Z", "updated_at": "2026-04-10T02:00:05.373848Z", "deleted_at": null, "main_name": "Machete", "aliases": [ "APT-C-43", "El Machete" ], "source_name": "MITRE:Machete", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434695, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8549019a207798c84be83d3adb7c53e99ceeb82a.pdf", "text": "https://archive.orkl.eu/8549019a207798c84be83d3adb7c53e99ceeb82a.txt", "img": "https://archive.orkl.eu/8549019a207798c84be83d3adb7c53e99ceeb82a.jpg" } }