{
	"id": "3cb4cb2c-4d38-4c04-8774-16ebaf4b29c9",
	"created_at": "2026-04-06T00:09:25.851238Z",
	"updated_at": "2026-04-10T13:11:52.255399Z",
	"deleted_at": null,
	"sha1_hash": "c9ac671e3baa65e0f3df54b1117eb5d485e370c2",
	"title": "A Deep Dive into Lokibot Infection Chain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2385353,
	"plain_text": "A Deep Dive into Lokibot Infection Chain\r\nBy Muhammad Irshad\r\nPublished: 2021-01-06 · Archived: 2026-04-05 14:21:56 UTC\r\nWednesday, January 6, 2021 09:00\r\nLokibot is one of the most well-known information stealers on the malware landscape. In this post, we'll provide a\r\ntechnical breakdown of one of the latest Lokibot campaigns.\r\nTalos also has a new script to unpack the dropper's third stage.\r\nThe actors behind Lokibot usually have the ability to steal multiple types of credentials and other sensitive\r\ninformation. This new campaign utilizes a complex, multi-stage, multi-layered dropper to execute Lokibot on the\r\nvictim machine.\r\nWhat's new?\r\nThis sample is using the known technique of blurring images in documents to encourage users to enable macros.\r\nWhile quite simple this is fairly common and effective against users. This write up is intended to be a deep dive\r\nfor reverse engineers into the latest tricks Lokibot is using to infect user machines.\r\nHow did it work?\r\nThe attack starts with a malicious XLS attachment, sent in a phishing email, containing an obfuscated macro that\r\ndownloads a heavily packed second-stage downloader. The second stage fetches the encrypted third-stage, which\r\nincludes three layered encrypted Lokibot. After a privilege escalation, the third stage deploys Lokibot. The Image\r\nbelow shows the infection chain.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 1 of 19\n\nSo what?\r\nDefenders need to be constantly vigilant and monitor the behavior of systems within their network. This blog\r\nprovides a detailed overview of how complex the infection chain is for Lokibot and which tricks the adversaries\r\nare using to bypass common security features and tools of modern operating systems.\r\nFirst-stage analysis\r\nWhen the user opens the phishing email, it presents a Spanish social engineering message (\"Payment: Find\r\nscheduled payment dates attached\"). The figure below shows a screenshot of one of the emails we looked at.\r\nThe Excel sheet uses another common social engineering technique by showing a blurred-out image of a table\r\nwith the text \"Changing the size of this document, please wait,\" in Spanish. If the victim clicks the \"Enable\r\nContent\" button, thinking it will make the image visible, a malicious macro is executed.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 2 of 19\n\nThe macro is mainly obfuscated by using long hexadecimal variable names. The screenshot below shows a portion\r\nof the `Workbook_Open` function of this macro.\r\nThe deobfuscated macro is shown below.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 3 of 19\n\nIt decrypts the URL for the second-stage from hardcoded bytes, saves it to the \"Templates\" folder, and executes it.\r\nThe traffic generated from the macro is shown below.\r\nSecond-stage analysis\r\nThe second-stage executable is packed with a Delphi-based packer.\r\nPacker analysis\r\nThe packer contains a timer `xvv` timer under `Form_main`, which unpacks the payload. The timer and its handler\r\ncode are shown below.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 4 of 19\n\nThe unpacking function performs the following steps:\r\n1. Loads the image resource with name `T__6541957882` into memory.\r\n2. Finds the anchor `WWEX` and copies data following to the new buffer.\r\n3. Adds `0xEE` to the bytes to decode the DLL.\r\n4. Reflectively loads decoded DLL into memory and executes it.\r\nThe figure below shows the resource image that contains the encoded executable.\r\nThe following image shows the location of the embedded executable following anchor `WWEX`.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 5 of 19\n\nThe following code shows the code and decoded DLL.\r\nUnpacked DLL analysis\r\nThe unpacked DLL is also written in Delphi. It fetches the third payload from the hardcoded URL.\r\nThe DLL sets a timer, as shown below, which will execute the downloader function periodically.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 6 of 19\n\nThe `Download3rdStage` will first decode `https://discord.com` and try to connect to it. Then, it performs a time-based anti-debug check, as shown in the code below. If any of these checks fail, the DLL will not download the\r\nthird stage.\r\n \r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 7 of 19\n\nOnce the checks have passed, DLL will decrypt the hardcoded third-stage URL, as shown in the code below, and\r\nsend the HTTP request.\r\nIn response to the request, the server sends a ~618KB long hex string, as shown below.\r\nThe DLL decodes the hex string using the following steps:\r\n1. Reverse the hex string.\r\n2. Convert hexadecimal digits to bytes (unhexlify).\r\n3. XOR decode with hardcoded key \"ZKkz8PH0\".\r\nWe have written a small Python script to decrypt the third stage. The same decryption method was also used to\r\ndecrypt the hardcoded command and control (C2).The resulting file is also a DLL, which the second stage\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 8 of 19\n\nreflectively loads.\r\nThird-stage analysis\r\nThe third stage is also written in Delphi. At the start, it loads a sizable binary resource named `DVCLAL` into\r\nmemory. It then generates the key `7x21zoom8675309` from hard coded bytes. The key is then used to decrypt the\r\nresource data using a custom encryption algorithm. The malware then recovers the configuration structure from\r\ndecrypted resource data. The structure fields are delimited by string `*()%@5YT!@#G__T@#$%^\u0026*\r\n()__#@$#57$#!@`.\r\nThe decryption algorithm is shown below.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 9 of 19\n\nThe hex dump below shows a structure field highlighted separated by delimiters.\r\nThe configuration structure layout is shown below.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 10 of 19\n\nInjecting malicious DLL to Notepad.exe\r\nThen, the malware will check if `InjectDLLToNotepadFlag` is set and `reverse_str(FileName) + \".url\"` (mheX.url)\r\nfile doesn't exist in C:\\Users\\\\AppData\\Local\\`. If yes, it will inject malicious DLL into Notepad.exe using the\r\nfollowing steps:\r\n1. Launch a Notepad.exe in the suspended state (dwCreationFlag = CREATE_SUSPENDED).\r\n2. Get the imported DLL name from the malicious DLL's import table (the first one is \"kernel32.dll\") and\r\nwrite to the suspended process.\r\n3. Write the following 12-byte structure containing addresses of kernel32: LoadLibrary, kernel32.sleep, and\r\nDLL string.\r\n4. Write a 210-bytes shellcode to Notepad.exe.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 11 of 19\n\n5. Execute this shellcode in Notepad.exe using `CreateRemoteThread` and pass the pointer to the 12-byte\r\nstructure shown above. This shellcode loads the DLL (\"kernel32.dll\") and then goes into an infinite sleep\r\nloop.\r\n6. Write DLL (\"kernel32.dll\") string again to notepad.exe.\r\n7. Write the 20-byte structure to Notepad.exe containing pointers to important APIs and two strings: imported\r\nDLL name and imported API name.\r\n8.\r\nWrite 144 bytes of shellcode to Notepad.exe.\r\n9. Execute this shellcode in Notepad.exe using `CreateRemoteThread` and pass the pointer to the 20-byte\r\nstructure from step 7 as param. This shellcode will resolve the import pointed by the last variable of the\r\nstructure in step 7, and then exits using `RtlExistUserThread`.\r\n10. Repeat Steps 2 - 9 for all of the imported DLLs and imported functions in the malicious DLL's import\r\ntable.\r\n11. Write malicious DLL to Notepad.exe.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 12 of 19\n\n12. Write an eight-byte structure to Notepad.exe containing Malicious DLL base address and entry point.\r\n13. Write 122 bytes of shellcode to notepad.exe.\r\n14. Execute the shellcode in Notepad.exe using `CreateRemoteThread` by passing the pointer to structure from\r\nstep 12 as param. The shellcode calls the entry-point point of the malicious DLL.\r\nInjected DLL analysis (UAC bypass using two techniques)\r\nIt checks if `C:\\Windows\\Finex` exists. If not, it will drop the following file at path `C:\\Users\\Public\\cde.bat`:\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 13 of 19\n\nThen, it drops C:\\Users\\Public\\x.bat containing the following content.\r\nThen, it drops C:\\Users\\Public\\x.vbs.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 14 of 19\n\nThen it drops, C:\\Users\\Public\\Natso.bat.\r\nThen, it executes `Natso.bat`, which is a \"fileless\" UAC bypass found by James Forshaw. More details here.\r\nIf C:\\Windows\\Finex still doesn't exist (which means the UAC bypass failed), it will update the Nasto.bat and\r\nexecute it using the code shown below.\r\nThis is another UAC bypass technique based on fodhelper.exe. More details here. On our test machine, the last\r\nbypass was successful, and `C:\\Windows\\Finex` was successfully created. After that, the DLL deletes the dropped\r\nfile and exits.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 15 of 19\n\nDecrypting and executing Lokibot\r\nAfter attempting to bypass the UAC, the third-stage DLL will check if `AutoRunKeyFlag` is set. For this DLL, it\r\nis not set. It will then jump to code that decrypts the Lokibot executable using decryption keys from the\r\nconfiguration structure. The first two layers are decrypted using `DecryptionKeyA` and `DecryptionKeyB`, and\r\nreverses all the data. After that, the final layer is decrypted using the same decryption method used to decrypt\r\nresource data at the start of the third stage.\r\nThe DLL contains multiple ways to execute a PE file. The execution method is decided based on the values of\r\nExecutionFlag A, B, C. Their values will lead to the following code for the current configuration, which will\r\ndecrypt the shellcode from the configuration using DecryptionKeyB, pass it three parameters: pointer to decrypted\r\nLokibot .exe, a pointer to an array of string and a pointer to current command line.\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 16 of 19\n\nThe shellcode will create a suspended process using the third parameter as a command line command and injects\r\nLokibot into it using process hollowing.\r\nConclusion\r\nThreat actors are getting more sophisticated when it comes to hiding their final payload. This dropper uses three\r\nstages and three layers of encryption to hide its final payload. The dropper also injects code into a suspended\r\nprocess to bypass UAC and uses process hollowing to execute its final payload. The majority of malware is\r\ngetting more and more sophisticated. They are constantly improving their social engineering techniques to trick\r\nthe user into opening malicious attachments and running malicious code. The malware code and its infection\r\ntechniques is also improving constantly like we have described in this blog. The adversaries combine clever\r\ntechniques to make detection harder. More than ever it is important to have a multi layered security architecture in\r\nplace to detect these kinds of attacks. It isn't unlikely that the adversaries will manage to bypass one or the other\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 17 of 19\n\nsecurity measures, but it is much harder for them to bypass all of them. These campaigns and the refinement of the\r\nTTPs being used will likely continue for the foreseeable future.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.The following SIDs have been released to detect this threat: 56578 and 56577.\r\nIOC\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 18 of 19\n\nHashes\r\nd5a68a111c359a22965206e7ac7d602d92789dd1aa3f0e0c8d89412fc84e24a5 (First stage XLS file)\r\n6b53ba14172f0094a00edfef96887aab01e8b1c49bdc6b1f34d7f2e32f88d172 (2nd stage packed downloader)\r\nb36d914ae8e43c6001483dfc206b08dd1b0fbc5299082ea2fba154df35e7d649 (2nd stage unpacked DLL)\r\n93ec3c23149c3d5245adf5d8a38c85e32cda24e23f8c4df2e19e1423739908b7 (3rd Stage DLL)\r\n21e23350b05a4b84cdf5c93044d780558e6baf81b2148fdda4583930ab7cb836 (DLL used to bypass UAC)\r\nc9038e31f798119d9e93e7eafbdd3e0f215e24ee2200fcd2a3ba460d549894ab ( Lokibot )\r\nURL\r\nhxxp://millsmiltinon[.]com/ojHYhkfkmofwendkfptktnbjgmfkgtdeitobregvdgetyhsk/Xehmigm.exe\r\nDomains\r\nmillsmiltinon.com (Hosts 2nd and 3rd Stage)\r\nIP\r\n104.223.143[.]132 (Lokibot C2)\r\nSource: https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nhttps://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html\r\nPage 19 of 19\n\n https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html    \nThe `Download3rdStage` will first decode `https://discord.com` and try to connect to it. Then, it performs a time\u0002\nbased anti-debug check, as shown in the code below. If any of these checks fail, the DLL will not download the\nthird stage.     \n  Page 7 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html"
	],
	"report_names": [
		"a-deep-dive-into-lokibot-infection-chain.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434165,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c9ac671e3baa65e0f3df54b1117eb5d485e370c2.pdf",
		"text": "https://archive.orkl.eu/c9ac671e3baa65e0f3df54b1117eb5d485e370c2.txt",
		"img": "https://archive.orkl.eu/c9ac671e3baa65e0f3df54b1117eb5d485e370c2.jpg"
	}
}