{
	"id": "def5b063-cd76-4164-9a06-2bef01086913",
	"created_at": "2026-04-06T00:19:55.140149Z",
	"updated_at": "2026-04-10T03:21:25.705331Z",
	"deleted_at": null,
	"sha1_hash": "89a37a237d997cbcbe5359662f9ae3b695c067a2",
	"title": "LodaRAT Update: Alive and Well",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3811406,
	"plain_text": "LodaRAT Update: Alive and Well\r\nBy Chris Neal\r\nPublished: 2020-09-29 · Archived: 2026-04-02 11:25:03 UTC\r\nTuesday, September 29, 2020 12:41\r\nDuring our continuous monitoring of LodaRAT, Cisco Talos observed changes in the threat that add new\r\nfunctionality.\r\nMultiple new versions of LodaRAT have been spotted being used in the wild.\r\nThese new versions of LodaRAT abandoned their previous obfuscation techniques.\r\nDirect interaction with the threat actor was observed during analysis, indicating the actor is actively\r\nmonitoring infected hosts.\r\nWhat's New?\r\nTalos recently identified new versions of LodaRAT, a remote access trojan written in AutoIt. Not only have these\r\nversions abandoned their usual obfuscation techniques, but several functions have also been rewritten and new\r\nfunctionality has been added. In one version, a hex-encoded PowerShell keylogger script has been added, along\r\nwith a new VB script, only to be removed in a later version. Direct interaction from the threat actor was observed\r\nduring analysis.\r\nSo What?\r\nSince our blog post on Loda in February 2020, Talos has been continually monitoring LodaRAT for new behavior.\r\nRecently there have been several changes that indicate that the authors are learning new techniques to improve the\r\neffectiveness of Loda. While these changes are somewhat minor, it shows that the authors are continually\r\ndeveloping Loda into a more robust RAT.\r\nDistribution\r\nIn previous campaigns, the infection chain started with a malicious Microsoft Word document that downloaded a\r\nsecond document which then exploited CVE-2017-11882. The exploit payload in turn downloaded an MSI that\r\ncontained the compiled Loda AutoIt script.\r\nThe samples analyzed in this post were distributed in a much simpler manner. Loda is now being distributed via a\r\nmalicious RAR archive attached to phishing emails. Here's a look at one of these emails:\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 1 of 11\n\nThe RAR attachments have the file extension \".rev\" and contain the compiled Loda AutoIt binary. Actual \".rev\"\r\nfiles are recovery files that can be created alongside multi-volume RAR archives. However, the files attached to\r\nthese emails were standard RAR files with the extension name changed.\r\nThe overall complexity of this infection chain is significantly lower than previous campaigns, which may be a\r\ndetriment to the effectiveness of the current campaigns. Execution relies solely on the target user double-clicking\r\non the binary and running it, rather than triggering an exploit to start an infection chain that is more or less\r\nautomated.\r\nMalware\r\nDuring our investigation, multiple versions of Loda were found to be distributed at the same time. The overall\r\nfunctionality of the different versions is quite similar to one another, with some key differences. The different\r\nversions being used at the same time could indicate that there are several threat actors using Loda, with each actor\r\nin possession of a different version. In our investigation, most samples found in the wild are older versions — the\r\nnewest versions being less common.\r\nThe version numbers embedded in Loda do not have a reliable order. In our previous Loda post, the version\r\nnumber was \"1.1.1,\" which has not been incremented in some new versions, even though there have been multiple\r\nupdates and changes. However, we have also identified a new version labeled \"1.1.7\" which has additional\r\nchanges to its code and functionality. Consequently, these numbers should be considered unreliable as the sole\r\ndetermining factor for identifying the version of Loda being analyzed. The string \"beta\" has been seen in every\r\nversion of Loda as well.\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 2 of 11\n\nVersion number 1.1.1\r\nVersion number 1.1.7\r\nObfuscation\r\nThe most readily apparent change in these new iterations of Loda is the complete removal of any obfuscation.\r\nTypically, Loda utilizes a combination of string obfuscation and function name randomization. These techniques\r\nmay have been abandoned since they no longer provide a significant reduction in AV detection. The image below\r\nshows obfuscated code from a previous version of Loda, containing both random function names and string\r\nobfuscation.\r\nThe next image is of the same section of code from the recent version of Loda. The functions have meaningful\r\nnames and there is a complete lack of string obfuscation.\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 3 of 11\n\n1.1.1\r\nAs for new functionality, the new version labeled as 1.1.1 has implemented a PowerShell keylogger that is stored\r\nas a hex-encoded string as shown below:\r\nHex-encoded PowerShell script\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 4 of 11\n\nDecoded keylogger\r\nThis PowerShell script appears to be copied and pasted from a short blog post with the comments removed. If the\r\ncommand \"MgPlugUp\" is received from C2, the script is written to a file called \"tmpwstz21.ps1\" and executed.\r\nThe logs are output into the temp directory as a text file named with the current date.\r\nA VB script has also been added that searches for the Loda AutoIt script by process name to ensure only one\r\ninstance is running. This script is also partially stored as a hex-encoded string that is decoded and appended to a\r\nfile called \"BYDVRI.vbs\".\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 5 of 11\n\nHex-encoded script\r\nDecoded VB script\r\n1.1.7\r\nThe version of Loda labeled as 1.1.7 has made several changes, most notably removing the PowerShell script and\r\nthe VB script mentioned above. Numerous small improvements have been made to the code's syntax and\r\ncleanliness, although a large portion remains unchanged. This newest version focuses on what Loda was originally\r\nintended for: stealing passwords and cookies from browsers.\r\nThe only new function in 1.1.7 is shown below. First, Loda detects the OS version by using the AutoIt macro\r\n\"@OSVERSION\" and copies itself to either the Temp or startup directories depending on the version of Windows.\r\nAfter copying itself, it then executes the copy.\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 6 of 11\n\nAlthough the version number is 1.1.7, this iteration of Loda appears to have reduced functionality. Some code may\r\nhave been removed or altered for the sake of reliability.\r\nUseless Code\r\nThere are two functions that persist through all versions of Loda that are effectively useless. The first being the\r\ncommand \"QURAN.\" This command is intended to stream audio in Windows Media Player of a reading of the\r\nQuran on the infected host using the deprecated MMS protocol (Microsoft Media Server). The URL for this\r\nstream is \"live.mp3quran[.]net:9976\" which seems to no longer exist, effectively making the command unusable.\r\nThis command is outlined in the previous LodaRAT post.\r\nThe second function is \"__SQLITE_DOWNLOAD_SQLITE3DLL\" which attempts to download a SQLite3 DLL\r\nfrom a dead URL.\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 7 of 11\n\nC2\r\nFor both versions, C2 communication has shifted to abusing legitimate services. Ngrok.io and portmap.io were\r\nboth observed to be used during analysis. These services are intended to be used by developers and administrators\r\nto communicate with hosts not directly connected to the internet but can easily be abused by threat actors for\r\npurposes of anonymization. Talos has previously covered threats that use this technique and can be read about\r\nhere.\r\nWhile performing analysis on version 1.1.1, several commands from C2 were observed in real-time. The first\r\ncommand that Loda typically receives from C2 is the \"Screen\" command, which sends a screenshot of the infected\r\nhost back to C2. This command is sent at regular intervals to continuously provide the threat actor with a current\r\nscreenshot of the host.\r\nAfter several screenshots were sent to the C2 server, the threat actor responded and interacted directly with our\r\nanalysis machine. The command \"MpS8x\" was used to generate a small VB script to display a message box with a\r\ncustom message.\r\n\"MpS8x\" command\r\nJudging from the content of the message, the threat actor realized the malware was running in a sandbox. An\r\ninteresting aspect of this interaction is that there is no sandbox detection function within Loda itself. Prior to this\r\nmessage box, there was no data sent to C2 that indicated that the malware was running on a virtual machine.\r\nWithout this functionality, the threat actor realized they were looking at a sandbox purely from the appearance of\r\nthe screenshot. This direct interaction indicates that the threat actor is actively monitoring infected hosts.\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 8 of 11\n\nPacket capture of the interaction\r\nResulting message box\r\nIt is worth reiterating that most instances of Loda found in the wild are older versions that still use the same\r\ntechniques. The unobfuscated versions analyzed in this post are quite rare in comparison to previous versions. The\r\nfrequency of use may increase over time if the new iterations of Loda prove to be effective. It is also worth\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 9 of 11\n\nmentioning that these versions may also soon employ string obfuscation and function name randomization, as\r\nLoda has historically used these techniques regularly.\r\nConclusion\r\nLoda continually proves to be an effective RAT and consistently changes and adds to its functionality. While some\r\nof these changes are minor and simplified in some ways, it displays that Loda is constantly evolving. This\r\nmalware poses a serious threat to an infected host due to its capabilities. Loda may be simple, but it is more than\r\neffective enough to cause serious financial damage.\r\nCOVERAGE\r\nSnort [SID] 53031\r\nOSQUERY\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat. For specific OSqueries on this threat, click below:\r\nLoda RAT File Path\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 10 of 11\n\nNetwork Security appliances such as Next-Generation Firewall (NGFW),Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nAttachments\r\n0d181658d2a7f2502f1bc7b5a93b508af7099e054d8e8f57b139ad2702f3dc2d\r\nfcbaf2e5ed0b1064da6a60101f231096164895328fd6c338b322b163d580b6e3\r\ncf40e1ec36f44e20a9744e8038987527027e2a6ee7e96d9044842f92ece9d7e8\r\n05d2fa5bb97f37edaaff99f58ffedbd438e928fb3881ede921a19b07fb884b0b\r\n1.1.1\r\n866397c8db26190c5a346bd863d9beb81e53d96011af9a3be6eeb713bbb57287\r\ncfb12ee4004cea2a396e1cecd7105760b17a73a67a95156d675cfec76fc37ba2\r\n70526973e70acef4a71f474b0e321b9e600a327522903ee6bfac4e6f07935f7f\r\nf169680d8f24694e2d99c9df31988511e212e088f4dc2854ef059915019e8348\r\n1.1.7\r\n2d317bcccea4739b2deefcc3b14cf5eafe147162f62c5ff1288db3635b5c3f10\r\nC2\r\nhttp://roodan888tools[.]atwebpages[.]com/ng.txt\r\nIPs associated with samples:\r\n193[.]161[.]193[.]99\r\n174[.]126[.]51[.]178\r\nSource: https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nhttps://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html"
	],
	"report_names": [
		"lodarat-update-alive-and-well.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434795,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89a37a237d997cbcbe5359662f9ae3b695c067a2.pdf",
		"text": "https://archive.orkl.eu/89a37a237d997cbcbe5359662f9ae3b695c067a2.txt",
		"img": "https://archive.orkl.eu/89a37a237d997cbcbe5359662f9ae3b695c067a2.jpg"
	}
}