{
	"id": "ac581715-9c90-4f94-9c39-6290dc4990d1",
	"created_at": "2026-04-06T00:08:55.623689Z",
	"updated_at": "2026-04-10T03:22:11.67651Z",
	"deleted_at": null,
	"sha1_hash": "bbe05e46c767cf0b2649d8a179f0bba2b1ff31ec",
	"title": "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 407425,
	"plain_text": "What’s happening in the world of crimeware: Emotet, DarkGate\r\nand LokiBot\r\nBy GReAT\r\nPublished: 2023-08-03 · Archived: 2026-04-05 19:51:47 UTC\r\nIntroduction\r\nThe malware landscape keeps evolving. New families are born, while others disappear. Some families are short-lived, while others remain active for quite a long time. In order to follow this evolution, we rely both on samples\r\nthat we detect and our monitoring efforts, which cover botnets and  underground forums.\r\nWhile doing so, we found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer\r\ncampaign. We described all three in private reports, from which this post contains an excerpt.\r\nIf you want to learn more about our crimeware reporting service, please contact us at\r\ncrimewareintel@kaspersky.com.\r\nDarkGate\r\nIn June 2023, a well-known malware developer posted an advertisement on a popular dark web forum, boasting of\r\nhaving developed a loader that he had been working on for more than 20,000 hours since 2017. Some of the main\r\nfeatures, which went beyond typical downloader functionality, supposedly included the following:\r\nHidden VNC\r\nWindows Defender exclusion\r\nBrowser history stealer\r\nReverse proxy\r\nFile manager\r\nDiscord token stealer\r\nThe full list of the touted capabilities is available in our private report.\r\nThe sample we obtained is missing some of  these features, but that doesn’t mean much, as they are enabled or\r\ndisabled in the builder anyway. We were, however, able to reconstruct the infection chain, which consists of four\r\nstages, all the way to loading the final payload: DarkGate itself.\r\n1. 1 VBS downloader script: The script is fairly simple. It sets several environment variables to obfuscate\r\nsubsequent command invocations. Two files (Autoit3.exe and script.au3) are then downloaded from the\r\nC2, and Autoit3.exe is executed with script.au3 as an argument.\r\n2. 2 AutoIT V3 script: AutoIT V3 is a BASIC-like freeware scripting language, which is often used by\r\nmalware authors, as it can simulate keystrokes and mouse movements, among other things. The script that\r\nhttps://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/\r\nPage 1 of 6\n\nis executed is obfuscated, but ultimately allocates memory to the embedded shellcode and finally executes\r\nthe shellcode.\r\n3. 3 Shellcode: The shellcode is pretty straightforward: it constructs a PE file in the memory, resolves imports\r\ndynamically and transfers control to it.\r\n4. 4 DarkGate executor (the PE file constructed by the shellcode): The executor loads the script.au3 file into\r\nthe memory and locates an encrypted blob within the script. The encrypted blob is then decrypted (using a\r\nXOR key and a final NOT operation). This results in a PE file, whose import table is dynamically resolved.\r\nThe final result is the DarkGate loader.\r\nThe DarkGate loader has several global variables, actually a Delphi TStringList, comprising 17 variables that\r\ndescribe the core functionality of the malware:\r\n1. 1 Variable that is set if an AV is found\r\n2. 2 Variable that is set if a virtual environment is found\r\n3. 3 Variable that is set if a Xeon processor is found\r\n4. 4 C2 port number\r\nThe full list of variables is available in our private report. The core functionality does not include malware\r\nloading, which is implemented in a separate module.\r\nWhat also stands out is the way strings are encrypted. Each string is encrypted with a unique key and a custom\r\nversion of Base64 encoding using a custom character set.\r\nLokiBot\r\nLokiBot is an infostealer that first surfaced in 2016 and remains active today. It is designed to steal credentials\r\nfrom various applications, such as browsers, FTP clients and others. Recently, we detected a phishing campaign\r\ntargeting cargo ship companies that drops LokiBot.\r\nIn the cases we investigated, the victims received an email appearing to come from a business contact and stating\r\nport expenses that needed to be paid. Attached to the email was an Excel document. As expected, when opening\r\nthe document the user was asked to enable macros. However, this was a fake warning, as the document did not\r\ncontain any macros, trying to exploit CVE-2017-0199 instead.\r\nThat vulnerability makes it possible to open a remote document by providing a link. This results in downloading\r\nan RTF document, which in turn exploits another vulnerability, namely CVE-2017-11882. By exploiting this other\r\nvulnerability, LokiBot is downloaded and executed.\r\nOnce executed, it collects credentials from various sources and saves into a buffer inside the malware, after which\r\nit sends them to the C2. Data is sent via POST requests compressed with APLib. After sending out system\r\ninformation, the malware listens for additional C2 commands. These commands can be used to download\r\nadditional malware, run a keylogger, and so on.\r\nEmotet\r\nhttps://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/\r\nPage 2 of 6\n\nEmotet is a notorious botnet that, despite being taken down in 2021, resurfaced later. In their recent wave of\r\nattacks, they jumped on the OneNote infection bandwagon,sending emails with malicious OneNote files. Opening\r\none of these displays an image similar to the one below.\r\nEmotet OneNote decoy document\r\nClicking on the view button executes the embedded and obfuscated malicious VBScript. The deobfuscated code is\r\nfairly simple.\r\nhttps://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/\r\nPage 3 of 6\n\nDeobfuscated downloader script\r\nAs one can see, there are several sites containing the payload. The script tries each of them until it succeeds, and\r\nthen saves the payload, a DLL, in the temp directory, executing it with regsvc32.exe. The executed DLL then\r\nloads a resource (LXGUM) from its resource section and decrypts it with a simple rolling XOR algorithm as\r\nillustrated below.\r\nhttps://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/\r\nPage 4 of 6\n\nResource decryption code\r\nThe decrypted payload is actually shellcode that does a typical import by hash. Two of the resolved functions are\r\nLdrLoadDll and LdrGetProcedureAddress, frequently used by malware authors to evade dynamic analysis of well-known APIs: LoadLibrary and GetProcAddress in this case. Next, memory is allocated, and a blob (a PE file)\r\nfrom the resource section is written to the allocated memory, which is the final Emotet payload. DLL\r\ndependencies are resolved, and the Import Address Table (IAT) is reconstructed. The shellcode then overwrites the\r\nDOS header of the PE file, in order to make it more difficult for EDR solutions to detect the binary in the memory.\r\nFinally, Emotet is executed.\r\nThe Emotet payload itself remains the same as in the previous waves of attacks.\r\nConclusion\r\nMalware continuously evolves, and TTPs change, hindering detection. Besides, it can be difficult for an\r\norganization to decide which type of malware threat to defend from first. Intelligence reports can help you to\r\nidentify the threats relevant to your business and to stay protected against these. If you want to keep up to date on\r\nthe latest TTPs used by criminals, or if you have questions about our private reports, reach out to us at\r\ncrimewareintel@kaspersky.com.\r\nIndicators of compromise (MD5s)\r\nLokiBot\r\n31707f4c58be2db4fc43cba74f22c9e2\r\n2c5cf406f3e4cfa448b167751eaea73b\r\nDarkGate\r\n1B9E9D90136D033A52D2C282503F33B7\r\n149DA23D732922B04F82D634750532F3\r\nhttps://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/\r\nPage 5 of 6\n\nEmotet\r\n238f7e8cd973a386b61348ab2629a912\r\ndf3ee4fb63c971899e15479f9bca6853\r\nSource: https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/\r\nhttps://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/\r\nPage 6 of 6\n\n1. 1 VBS subsequent downloader command script: The script invocations. Two is fairly simple. files (Autoit3.exe It sets several and script.au3) environment variables are then downloaded to obfuscate from the\nC2, and Autoit3.exe is executed with script.au3 as an argument.    \n2. 2 AutoIT V3 script: AutoIT V3 is a BASIC-like freeware scripting language, which is often used by\nmalware authors, as it can simulate keystrokes and mouse movements, among other things. The script that\n   Page 1 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/"
	],
	"report_names": [
		"110286"
	],
	"threat_actors": [],
	"ts_created_at": 1775434135,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bbe05e46c767cf0b2649d8a179f0bba2b1ff31ec.pdf",
		"text": "https://archive.orkl.eu/bbe05e46c767cf0b2649d8a179f0bba2b1ff31ec.txt",
		"img": "https://archive.orkl.eu/bbe05e46c767cf0b2649d8a179f0bba2b1ff31ec.jpg"
	}
}