{
	"id": "265238cb-ee11-4567-98e4-a783ce31eacc",
	"created_at": "2026-04-06T00:16:12.463591Z",
	"updated_at": "2026-04-10T13:11:47.51753Z",
	"deleted_at": null,
	"sha1_hash": "aac50f338eed881ab478f5c36315cdb663584564",
	"title": "Loda Malware: Campaign Analysis | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 426063,
	"plain_text": "Loda Malware: Campaign Analysis | Proofpoint US\r\nBy May 10, 2017 Proofpoint Staff\r\nPublished: 2017-05-10 · Archived: 2026-04-05 15:07:43 UTC\r\nLoda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims.\r\nProofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name ‘Loda’ is\r\nderived from a directory to which the malware author chose to write keylogger logs (Figure 14). It should be\r\nnoted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not\r\nwell-documented.\r\nLoda appears to be distributed by multiple cybercrime actors targeting a variety of verticals. We have observed\r\nLoda spread via email campaigns containing Microsoft Word attachments with macros (Figure 3), exploits, or\r\npackager shell objects (Figure 4). Notably, we found a document that used the recent CVE-2017-0199 exploit\r\n(Figure 1). In addition, we have observed Loda distributed via PDF attachments, links, and executable attachments\r\n(Figure 2).\r\nWhile Loda is a threat on its own, we have also seen campaigns where it was used to download additional\r\ninformation-stealing malware, such as the ISR Stealer.\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 1 of 13\n\nFigure 1: CVE-2017-0199 document used to deliver Loda\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 2 of 13\n\nFigure 2: Email with an executable attachment delivering Loda\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 3 of 13\n\nFigure 3: Macro document used to deliver Loda\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 4 of 13\n\nFigure 4: Document with embedded Packager Object used to deliver Loda\r\nAnalysis\r\nWe have observed two versions of the malware, 1.0.0 and 1.0.1, in the wild. Both were tagged as beta versions of\r\nthe software. In both versions, the malware copies itself to a directory in the %TEMP% folder and creates\r\npersistence using a scheduled task. This is typically a 6-character task name which references the executable that\r\nwas copied to %TEMP%. The malware checks in to a command and control (C\u0026C) server and reports the\r\nfollowing information:\r\nVictim’s Country\r\nA hard coded string (seen ‘victim’, ‘Clientv4’)\r\nVictim’s IP address\r\nUser account name\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 5 of 13\n\nWindows version\r\nWindows architecture (X64 or X86)\r\nWebcam installed (Yes or No, enumerated using capGetDriverDescription from Avicap32.dll)\r\nInstalled AV Vendor (enumerated via running process names)\r\nMalware version, i.e. 1.0.1\r\nHard coded string (seen ‘ddd’)\r\nMonitor resolution in a special format (“Pr[Height]X2[Width]X3”)\r\nOS type (can be “laptop”, “Desktop”, or “x”, enumerated using the WMI query \"Select * from\r\nWin32_SystemEnclosure\")\r\nVersion (beta)\r\nFigure 5: Information sent by the victim machine to the C\u0026C server\r\nSince Loda is written in AutoIt, the executable is trivial to decompile. The author of the malware took slight\r\nmeasures to combat this and has obfuscated the AutoIt source code using several generic techniques. The most\r\nnotable example is the use of string obfuscation on most variables. Strings are hex-encoded and concatenated into\r\na larger string with a separator value that appears to be unique in each sample. At run time, variables are initialized\r\nbased on parsing the large string into an array that is created based on the separator value. Finally, each variable is\r\ninitialized based on the index of the array that the string is in.\r\nFigure 6: Deobfuscated (left) vs obfuscated (right) strings with random variable names\r\nFigure 7: A snippet of variable initialization code from the large array of encoded strings (typically 2000+\r\nelements)\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 6 of 13\n\nLoda accepts a wide range of commands from the C\u0026C with the following functionality:\r\nSend a file to C\u0026C\r\nReceive text from C\u0026C and write to file (likely for batch files)\r\nReceive data from C\u0026C and write as binary (executable) and run it (Figure 12)\r\nExecute a hidden Windows Media Player streaming from an arabic radio MMS (Figure 11)\r\nClose windows media player (likely related to above)\r\nUpload keylogger data (Figure 10)\r\nDelete keylogger data\r\nRead text to victim using SAPI.SpVoice (text sent from C\u0026C)\r\nGet file or directory sizes (path requested from C\u0026C)\r\nShutdown victim PC\r\nChange wallpaper via registry modifications\r\nZip/Unzip files (to exfil to C\u0026C or to decompress from C\u0026C)\r\nBasic ShellExecute command\r\nCopy file or directory (paths requested from C\u0026C)\r\nEnumerate attached drives\r\nEnumerate common folder locations (Desktop/Pictures/Profile/Appdata/Temp)\r\nDetect UAC settings\r\nDownload and play .wav files from C\u0026C\r\nRecord microphone sounds using Windows Sound Recorder (Figure 9)\r\nSend mouse clicks (left or right being separate commands)\r\nCapture screenshot and send to C\u0026C\r\nOpen/Close CD tray\r\nDownload and execute a file (HTTP path specified from C\u0026C)\r\nCreate a GUI Chat window (Victim/Attacker conversation saved to a file; see Figure 8)\r\nRecord Webcam\r\nDelete Chrome/Firefox cookies (closes browsers to do this)\r\nSend running process names to C\u0026C\r\nClose a running process\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 7 of 13\n\nFigure 8: Ability to create a GUI Chat window from the ‘hacker’ to the victim\r\nFigure 9: Ability to record microphone input using Windows Sound Recorder\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 8 of 13\n\nFigure 10: Upload and delete keylogger data (implemented as two separate commands, but likely occurring in the\r\nsame C\u0026C request)\r\nFigure 11: Stream an arabic radio station (shortcut to hidden Windows Media Player MMS)\r\nReceive data from C\u0026C, write to disk and execute\r\nFigure 12: Receive data from C\u0026C, write to disk and execute\r\nWe were able to observe the network traffic associated with these C\u0026C communications, a sample of which is\r\nshown in Figure 13.\r\nFigure 13: PCAP of C\u0026C communications, as Loda downloads a payload\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 9 of 13\n\nFigure 14: Origin of the name “Loda” (keylogger logs are stored in the directory /LODA/Log)\r\nConclusion\r\nLoda malware is a robust keylogger and remote access Trojan with extensive capabilities for collecting and\r\nexfiltrating victim information from infected PCs. Since we first observed it in the wild last fall, its footprint has\r\nincreased dramatically with multiple threat actors distributing the malware via a range of email vectors. It has\r\nappeared in attacks across multiple verticals and been used as both a standalone threat and an intermediate loader.\r\nWhile fairly straightforward to analyze because it was coded in AutoIT, Loda’s capabilities for data collection,\r\nsystem control, direct victim interaction, and flexible C\u0026C communications pose significant risks for victims and\r\norganizations with infected PCs.\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\ndalengo.duckdns.org Hostname Loda C\u0026C\r\neyasdz.ddns.net Hostname Loda C\u0026C\r\ngoogleindia.ddns.net Hostname Loda C\u0026C\r\nniiarmah.dynu.com Hostname Loda C\u0026C\r\nnze1411.servehttp.com Hostname Loda C\u0026C\r\nshit888.duckdns.org Hostname Loda C\u0026C\r\nyxlxlx.hopto.org Hostname Loda C\u0026C\r\n103.68.223.131\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n103.68.223.135\r\nIP\r\nAddress\r\nLoda C\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 10 of 13\n\nIOC\r\nIOC\r\nType\r\nDescription\r\n103.68.223.148\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n154.16.201.2\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n185.140.53.231\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n185.142.236.219\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n185.145.45.222\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n185.84.181.99\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n204.152.219.125\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n213.184.126.133\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n213.204.254.33\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n23.105.131.162\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n5.133.11.56\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n78.128.92.32\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n88.190.215.108\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n95.140.125.85\r\nIP\r\nAddress\r\nLoda C\u0026C\r\n98.143.144.214\r\nIP\r\nAddress\r\nLoda C\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 11 of 13\n\nIOC\r\nIOC\r\nType\r\nDescription\r\n1661904de29c935e8fa052cf3a48153e423eb4f940eafaca04c37a23ff6478e4 SHA256 Loda 1.0.1\r\n1e412f6539526d30090a14b67fa3c9e9f00801a2585acd6ae99d93450ec31a27 SHA256 Loda 1.0.1\r\n28271aaad16ea4805da4c05e6bd818ff10adafe28b15231e9452c04736046637 SHA256 Loda 1.0.1\r\n372a69b980010f325a9793c81add9ad2e58d767ea93552cd4d041d0669dd0327 SHA256 Loda 1.0.1\r\n3017327889e95b7b495c5abe2768d66254ffa7fa84d9662b99ce551cff20f2b3 SHA256 Loda 1.0.1\r\n42567164b34f81f9d683db859cc46542974eb2c63c765c50e6cd54bbd4772296 SHA256 Loda 1.0.1\r\n4dc6a7dde5804969b7481f3ce4eb41eff6952b43dd564fd5189bed5608f01d29 SHA256 Loda 1.0.1\r\n5abb862f92b3e577d54a4760b654db51537071314e4c66a11a15503368a81439 SHA256 Loda 1.0.1\r\n60e65fc495598e203d436d94f8614d46be099c59a98f4102acb26caea4b05849 SHA256 Loda 1.0.1\r\n63be4234ca8443b11877a9d1644bba2c6247ff62c7cdbcb104b772c0d3d42152 SHA256 Loda 1.0.1\r\n73795c1d8c23b13ca4136f23728f32eccf4b75bff285a824adb241ae8deaefda SHA256 Loda 1.0.1\r\n7e335035c67b0f5abdef63ce1136489b42abafab136d8bb0675852424982d72a SHA256 Loda 1.0.1\r\n879cca7e3aef2e53a49c15bcca06a048dc2f15627be9cd5745c532fd050c0a17 SHA256 Loda 1.0.1\r\n8be505d0d70b0d878c93ca58079da15750fa3912d3aa2e1d2053f79f45ba4696 SHA256 Loda 1.0.1\r\n91629cd3c969685afde2ded08e802cc8b5a456dc20c83bcbd169468adc7036a5 SHA256 Loda 1.0.1\r\n92c4316c0a3d828700b723d2415fc50b79a01072ffee65e7ffcfac8dca25fcac SHA256 Loda 1.0.1\r\na6a83c24c3d898a163d085fabc5304c83b0167631b1dd16ff69092d8c583af57 SHA256 Loda 1.0.1\r\nc5d9d12ade0813384ca6a7c67d738dd6b427d3d659755cd37fb0055b3b66ecb3 SHA256 Loda 1.0.1\r\nc8468b293f015252c6b90bc44496fb078304d3e0a7456a948e176fb3850b13f1 SHA256 Loda 1.0.1\r\nca9236fb2cff18311ed561d3f6fd61330459125b7d7b0a54ca72112766e5df60 SHA256 Loda 1.0.1\r\nce477c9625b13c3d2a708fc15ac0b8e5c5eb6b4fb815914e8eaba80c2d491692 SHA256 Loda 1.0.1\r\ne368506790eb2e3c9c414a09e640ad4aff2233e03b52a03cee372688e6003291 SHA256 Loda 1.0.1\r\n49c46414f2c75af582d2faa348b57a79a04f069dd508e6d883cb75b77a7bfcc4 SHA256\r\nMacro\r\nDocument\r\n49c46414f2c75af582d2faa348b57a79a04f069dd508e6d883cb75b77a7bfcc4 SHA256 Packager\r\nObject\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 12 of 13\n\nIOC\r\nIOC\r\nType\r\nDescription\r\nDocument\r\n2abdbd7f5f7863f454df353ba35d500dafbca8284459331cd92438e2ea4c7015 SHA256\r\nCVE-2017-\r\n0199\r\nDocument\r\nET and ETPRO Suricata/Snort Coverage\r\n2822117 | ETPRO TROJAN Loda Logger CnC Beacon Response\r\n2822116 | ETPRO TROJAN Loda Logger CnC Beacon\r\n2825085 | ETPRO TROJAN Loda Logger Screenshot Request\r\n2825086 | ETPRO TROJAN Loda Logger Module Download Request\r\n2825087 | ETPRO TROJAN Loda Logger Module Execute Request\r\n2825088 | ETPRO TROJAN Loda Logger List Disk Drives Request\r\n2825089 | ETPRO TROJAN Loda Logger List Desktop Files Request\r\n2825090 | ETPRO TROJAN Loda Logger List Disk Drive Files Request\r\nSource: https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nhttps://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware\r\nPage 13 of 13\n\n  https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware  \nFigure 8: Ability to create a GUI Chat window from the ‘hacker’ to the victim\nFigure 9: Ability to record microphone input using Windows Sound Recorder\n   Page 8 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware"
	],
	"report_names": [
		"introducing-loda-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434572,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aac50f338eed881ab478f5c36315cdb663584564.pdf",
		"text": "https://archive.orkl.eu/aac50f338eed881ab478f5c36315cdb663584564.txt",
		"img": "https://archive.orkl.eu/aac50f338eed881ab478f5c36315cdb663584564.jpg"
	}
}