{
	"id": "cac8e773-0087-43ff-a0f7-4eb2ed24c330",
	"created_at": "2026-04-06T01:32:06.706471Z",
	"updated_at": "2026-04-10T03:21:11.964354Z",
	"deleted_at": null,
	"sha1_hash": "8d4765ddaff214b3a0476f4815793056d4b81ca7",
	"title": "Hiding in Plain Sight: The Subtle Art of Loki Malware’s Obfuscation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1163569,
	"plain_text": "Hiding in Plain Sight: The Subtle Art of Loki Malware’s\r\nObfuscation\r\nBy Anish Bogati\r\nArchived: 2026-04-06 00:18:16 UTC\r\nBackground\r\nWhile browsing through recent uploads in MalwareBazaar — a comprehensive database of known malware\r\nsamples — we discovered a Loki malware sample belonging to a previously unexamined malware family.\r\nLoki is a type of information-stealing malware known for exfiltrating sensitive data, such as credentials,\r\ncryptocurrency wallets, and other personal information, often targeting Windows systems. It typically employs\r\nvarious techniques for persistence, obfuscation, and communication with its command-and-control (C2) servers,\r\nmaking it a significant threat in the cyber landscape.\r\nIntrigued by its potential uniqueness, we selected it for further analysis. In this blog, we will focus exclusively on\r\nthe initial stages of the infection.\r\nimage-20241106-083707\r\nMalwareBazaar Sample\r\nSample Analysis\r\nDuring dynamic analysis, the sample exhibited several familiar behaviors often observed in other malware we've\r\nencountered regularly. However, as we dug deeper, we noticed a range of underlying functions that set it apart.\r\nInterestingly, at the time of this analysis, the initial delivery sites for this malware were still active.\r\nDownloading the payload from the site\r\nWith the sample downloaded, let's dive into the analysis. The initial HTA file contains multiple layers of URL\r\nencoding. After decoding, we found the payload was further obfuscated using Base64 encoding and a character\r\nsubstitution technique.\r\nhttps://logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation\r\nPage 1 of 7\n\nDecoding the HTA payload in CyberChef\r\nWe obtained a PowerShell command that, once decoded, revealed the following.\r\nSyntax Highlighter\r\nThis is the decoded code:\r\nSyntax Highlighter\r\nThe payload uses PowerShell to execute additional actions. Specifically, it loads urlmon.dll and leverages its\r\nfunctions to download a payload from the URL\r\nhxxp://104[.]168[.]7[.]52/35/picturewithattitudeeventforallthings.tif . Once downloaded, this file is\r\nsaved as picturewithattitudeeventforallthings.vbs  under %user%\\AppData\\Roaming\\ directory.\r\nAfter the VBS file was executed with wscript.exe , the following command was executed:\r\nSyntax Highlighter\r\nOnce again, Base64 encoding and junk character insertion were used to obfuscate the command. The purpose of\r\nthis command is to download an image from Google Drive at the URL  hxxps://drive[.]google[.]com/uc?\r\nexport=download\u0026id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 .\r\nSteganography has been applied to the image to conceal additional Base64-encoded instructions.\r\nhttps://logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation\r\nPage 2 of 7\n\nGoogle Drive hosted image\r\nThe script retrieves the hidden obfuscated, reversed Base64 payload from the Google Drive image, decodes it,\r\nloads it as a .NET assembly, and then invokes a method within that assembly. Each step includes layers of\r\nobfuscation—such as string concatenation, junk insertion, Base64 reversal, and dynamic replacements—to hinder\r\nanalysis and evade detection. This technique, commonly used in malware, allows malicious code to be loaded\r\ndynamically without being directly written to disk.\r\nHere is the Base64-encoded payload, which was embedded in reverse order within the image.\r\nhttps://logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation\r\nPage 3 of 7\n\nIn summary, the VBS payload instructs the system to visit an image hosted on Google Drive, where it retrieves a\r\nhidden, Base64-encoded payload. This encoded portion is then reversed, decoded, and the code is injected into the\r\naspnet_regbrowsers.exe process as seen in the Process Tree below.\r\nProcess tree of infection chain\r\nThen the injected process further starts to communicate with C2, and attempts to drop other payloads into the\r\nsystem which at the moment of testing was already down so were not able to observe further activities.\r\nNetwork Connection to C2\r\nDetection of Loki with guardsix SIEM\r\nAs demonstrated in the Loki sample analyzed above, the techniques employed are commonly utilized by other\r\ninitial loaders and droppers to evade detection. Detecting these techniques is critical, as they reflect an increasing\r\ntrend among malware to bypass conventional defenses.\r\nTo effectively detect these behaviors, having proper auditing configurations in place is crucial to ensure the\r\ngeneration of relevant logs. Specific log sources are fundamental for effective threat detection and hunting. Below\r\nhttps://logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation\r\nPage 4 of 7\n\nis a list of key sources required for our detection strategy with guardsix SIEM:\r\n1. Windows\r\nProcess creation with command-line auditing should be enabled.\r\n2. Windows Sysmon\r\nTo get started, you can use our sysmon baseline configuration.\r\n3. Network Logs\r\nFirewall, IDS/IPS logs\r\nBelow is a list of vendor alerts that can help detect the aforementioned techniques used by malware.\r\n1. Suspicious MSHTA Process Pattern\r\nThe initial payload execution of .vbs was done with mshta.exe a Windows internal binary. This alert can\r\ndetect such behavior as it looks for the execution of mshta.exe from suspicious locations or the execution of file\r\nfrom a non-standard path.\r\nSyntax Highlighter\r\n2. Suspicious PowerShell Parameter Substring Detected\r\nGiven that many of the attack steps utilized PowerShell and its cmdlets, this alert detects the use of suspicious\r\nPowerShell commandlets commonly linked to malicious activities, such as executing Base64-encoded payloads or\r\ndownloading remote files through PowerShell cmdlets.\r\nSyntax Highlighter\r\nhttps://logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation\r\nPage 5 of 7\n\n3. Usage of Web Request Command\r\nMultiple stages of payloads were downloaded, so this alert can be used to detect such events where Windows\r\nbinary and powershell commandlets have been used to download files.\r\nSyntax Highlighter\r\n4. Suspicious File Execution Using Wscript or Cscript\r\nThe VBS payload was executed using wscript.exe , making this alert effective for detecting the execution of\r\nscripting files such vbs files via wscript.exe or cscript.exe.\r\nSyntax Highlighter\r\nRecommendations\r\nBlock Execution of Suspicious File Types and Windows Binaries:\r\nBlock potentially exploited file types such as .vbs , .hta , and .msi , which are commonly used by\r\nthreat actors for payload distribution. Allow exceptions only for trusted system processes or specific users\r\nto avoid disrupting legitimate use cases. \r\nRestrict User Permissions and Software Installation:\r\nLimit users' ability to install and run unauthorized software.\r\nRegular Software Updates:\r\nEnsure devices, browsers, and other software applications are regularly updated to protect against known\r\nvulnerabilities and cyber threats.\r\nImplement Endpoint Detection and Response (EDR) Solutions:\r\nDeploy advanced EDR tools to monitor suspicious activity, especially around script execution and binary\r\ndownloads. This helps detect malware behaviors early, particularly when unconventional techniques, like\r\nthose seen in the Loki malware analysis, are used.\r\nMonitor and Restrict Web Browsing:\r\nMonitor users’ web browsing habits and restrict access to potentially harmful websites or content that could\r\nhttps://logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation\r\nPage 6 of 7\n\nlead to malware downloads.\r\nEnhance System Monitoring and Logging:\r\nProper logging, asset visibility, and system monitoring are critical for cybersecurity. Implement regular\r\nauditing to track user activity and identify anomalies. Comprehensive log collection across all systems is\r\nessential for effective threat detection and analysis\r\nEnsure Proper Log Retention and Visibility:\r\nEstablish a log retention policy to store system and network logs for at least six months. This will provide\r\nsufficient data to trace the origin and timeline of any security incident, ensuring a comprehensive response.\r\nSource: https://logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation\r\nhttps://logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation"
	],
	"report_names": [
		"hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation"
	],
	"threat_actors": [],
	"ts_created_at": 1775439126,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d4765ddaff214b3a0476f4815793056d4b81ca7.pdf",
		"text": "https://archive.orkl.eu/8d4765ddaff214b3a0476f4815793056d4b81ca7.txt",
		"img": "https://archive.orkl.eu/8d4765ddaff214b3a0476f4815793056d4b81ca7.jpg"
	}
}