{
	"id": "bb6d141a-586e-42e2-ad75-c9892a2b2452",
	"created_at": "2026-04-06T00:14:33.387641Z",
	"updated_at": "2026-04-10T13:12:55.760856Z",
	"deleted_at": null,
	"sha1_hash": "cb1b509f70a9dbf4a8af3b04f6b034700496a929",
	"title": "LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3238490,
	"plain_text": "LokiBot Campaign Targets Microsoft Office Document Using\r\nVulnerabilities and Macros | FortiGuard Labs\r\nBy Cara Lin\r\nPublished: 2023-07-12 · Archived: 2026-04-05 21:30:27 UTC\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Windows users\r\nImpact: Control and collect sensitive information from a victim’s device\r\nSeverity level: Critical\r\nIn a recent FortiGuard Labs investigation, we came across several malicious Microsoft Office documents designed\r\nto exploit known vulnerabilities. Specifically, CVE-2021-40444 and CVE-2022-30190 are remote code execution\r\nvulnerabilities. Exploiting these vulnerabilities allowed the attackers to embed malicious macros within Microsoft\r\ndocuments that, when executed, dropped the LokiBot malware onto the victim's system. LokiBot, also known as\r\nLoki PWS, has been a well-known information-stealing Trojan active since 2015. It primarily targets Windows\r\nsystems and aims to gather sensitive information from infected machines.\r\nIn this article, we will delve into the specifics of the identified documents, explore the payload they delivered, and\r\noutline the behavioral patterns exhibited by LokiBot. Our analysis aims to shed light on the intricacies of this\r\nthreat and increase awareness regarding its operational methods.\r\n1\r\nst\r\n Stage\r\nDuring May 2023, we obtained two types of Word documents for analysis. The first type featured an external link\r\nembedded within an XML file, “word/_rels/document.xml.rels,” while the second type included a VBA script that\r\nexecuted a macro immediately upon opening the document. Notably, both files contained a strikingly similar bait\r\nimage, depicted in Figure 1.\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 1 of 15\n\nFigure 1: The lure picture from the Word document\r\nThe Word document that targets CVE-2021-40444 contained a file “document.xml.rels”, shown in Figure 2, with\r\nan external link using MHTML (MIME encapsulation of aggregate HTML documents). This web archive file\r\nformat combines a website's HTML code and companion resources into a single file. This link also uses Cuttly, a\r\nURL shortener and link management platform, to redirect users to the cloud file-sharing website, “GoFile.”\r\nFurther analysis revealed that a file named “defrt.html” was downloaded upon accessing the link. This file exploits\r\nthe second vulnerability, CVE-2022-30190. The content of this file and the decoded data is displayed in Figure 3.\r\nUpon executing the payload, it initiates the download of an injector file named “oehrjd.exe” from the following\r\nURL: http[:]//pcwizard[.]net/yz/ftp/. Detailed information regarding the execution file can be found in the\r\nsubsequent section.\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 2 of 15\n\nFigure 2: The Document.xml.rels contains a malicious external link in oleObject\r\nFigure 3: Malicious content from “defrt.html” and decoded data\r\nThe second document was discovered towards the end of May. Upon analyzing the VBA script embedded within\r\nthe Word document, as illustrated in Figure 4, the code is automatically executed due to its use of the\r\n“Auto_Open” and “Document_Open” functions. Various arrays are decoded within the script and saved to a\r\ntemporary folder under the name “DD.inf” (Figure 5). It includes a command to create an “ema.tmp” file to store\r\ndata after line 29 in the “DD.inf” file. The data is then encoded using the “ecodehex” function and saved as\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 3 of 15\n\n“des.jpg”. The script then uses rundll32 to load a DLL file with the function “maintst.” Finally, it deletes all\r\ntemporary, JPG, and INF files created throughout this process.\r\nFigure 4: The VBA macro from the Word document\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 4 of 15\n\nFigure 5: The content in “DD.inf”\r\nThe Compromised Website\r\nAs mentioned, the VBA script creates an INF file to load a DLL. The purpose of this DLL file, named “des.jpg,” is\r\nto download an injector from the URL “https[:]//vertebromed[.]md/temp/dhssdf[.]exe” for use in a later stage. It's\r\nworth noting that the download link doesn't belong to a typical file-sharing cloud platform or the attacker's\r\ncommand-and-control (C2) server. Instead, it leverages the website “vertebromed.md,” which has been active\r\nsince 2018. The injector file, “dhssdf.exe,” was created on May 29, 2023, as shown in Figure 6. Additionally,\r\nwithin the same folder, we discovered another MSIL loader named “IMG_3360_103pdf.exe,” created on May 30,\r\n2023. Although this file isn't directly involved in the Word document attack chain, it also loads LokiBot and\r\nconnects to the same C2 IP.\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 5 of 15\n\nFigure 6: Web page and the compromised folder\r\n2\r\nnd\r\n Stage – Injector\r\nIn this section, we analyze the injector obtained from Follina (SHA256:\r\n9eaf7231579ab0cb65794043affb10ae8e4ad8f79ec108b5302da2f363b77c93). The injector is written in Visual\r\nBasic (VB), and we provide an overview of its basic information in Figure 7.\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 6 of 15\n\nFigure 7: The information on the VB injector\r\nInitially, the code extracts individual letters from predetermined strings. These letters are then combined to form\r\nan API string, subsequently mapped to the corresponding functions illustrated in Figure 8.\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 7 of 15\n\nFigure 8: API functions\r\nThe injector utilizes a hardcoded key to decrypt the payload, as shown in Figure 9. The decryption process is\r\noutlined in pseudo-code in Figure 10. The decrypted data is decompressed using the “RtlDecompressBufferEx”\r\nAPI and the parameter “COMPRESSION_FORMAT_LZNT1”. The complete procedure through Python code and\r\nthe partial payload is illustrated in Figure 11.\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 8 of 15\n\nFigure 9: The key and encrypted data\r\nFigure 10: The pseudo-code for decryption\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 9 of 15\n\nFigure 11: The Python code and the final payload\r\nThe injector incorporates various evasion techniques, including:\r\nChecking the “BeingDebugged” flag of PEB (Process Environment Block)\r\nUtilizing the “NtGlobalFlag” to determine if the process was created by a debugger\r\nVerifying the existence of virtual machine paths, such as “\\VMWare” and “\\Oracle\\virtualbox guest\r\nadditions”\r\nEmploying two calls to the “GetTickCount” API and using Sleep() to check if the time has been\r\naccelerated\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 10 of 15\n\nUsing the “FindWindowW” function to identify the presence of specific debuggers, such as “OllyDbg,”\r\n“x64dbg”, “x32dbg”, “WindDbg,” “WinDbgFrameClass,” “ObsidianGUI,” “Soft Ice,” “ImmDbg,” “Zeta\r\nDebugger,” and “Rock Debugger”\r\nChecking the “ProcessDebugObjectHandle” (0x1E)\r\nAfter obtaining the payload and verifying the overall environment, the injector utilizes the “VirtualAllocEx”\r\nfunction to allocate memory for the subsequent execution of LokiBot.\r\nFigure 12: Assembly code for allocating memory\r\n3\r\nrd\r\n Stage – LokiBot\r\nLokiBot is specifically designed to gather sensitive information from various sources, including web browsers,\r\nFTP, email, and numerous software tools installed on the compromised system. Analyzing the C2 traffic to\r\n“95[.]164[.]23[.]2/swe/h/pin[.]php” in Figure 13, we determined that the version is 0x0012 and the notable Binary\r\nID is “ckav[.]ru”. As this version of LokiBot has remained unchanged since March, we will only highlight its\r\nmajor components and features.\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 11 of 15\n\nFigure 13: C2 traffic caputre of LokiBot\r\nFirst, the MD5 hash derived from the MachineGuid is in the end pcap, “D0BECCE5760947DD9FFD80DB”. This\r\nhash serves as a mutex to ensure that multiple instances of LokiBot are not running simultaneously. It employs the\r\n“MoveFileExW” API to create a folder named “%APPDATA%\\Roaming\\576094” and a file named\r\n“47DD9F.exe” using a substring of the MD5 from MachineGuid. The file is marked as hidden by the\r\n“SetFileAttributes” function and setting the attribute to FILE_ATTRIBUTE_HIDDEN (0x2). The corresponding\r\nregistry settings associated with LokiBot are depicted in Figure 14.\r\nFigure 14: Registry setting\r\nThe list of targeted software names is stored in an array, and a partial list is provided in Figure 15.\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 12 of 15\n\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 13 of 15\n\nFigure 15: Partial data of targeted software\r\nConclusion\r\nLokiBot is a long-standing and widespread malware active for many years. Its functionalities have matured over\r\ntime, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot\r\ncontinually update their initial access methods, allowing their malware campaign to find more efficient ways to\r\nspread and infect systems.\r\nLokiBot exploits various vulnerabilities and employs VBA macros to launch its attacks. It also leverages a VB\r\ninjector to employ several techniques to evade detection or analysis. As a result, it can bypass certain security\r\nmeasures and pose a significant threat to users.\r\nTo protect themselves, users should exercise caution when dealing with any Office documents or unknown files,\r\nespecially those that contain links to external websites. It is essential to be vigilant and avoid clicking on\r\nsuspicious links or opening attachments from untrusted sources. Additionally, keeping the software and operating\r\nsystems up to date with the latest security patches can help mitigate the risk of exploitation by malware.\r\nFigure 16: LokiBot attack chain\r\nFortinet Protections\r\nThis malware is detected and blocked by FortiGuard Antivirus as:\r\nW32/LokiBot.DYST!tr\r\nW32/Injector.SBX!tr\r\nW32/Injector.XX!tr\r\nMSIL/Kryptik.AIVP!tr\r\nJS/Follina.N!tr\r\nVBA/Agent.0F29!tr\r\nMSOffice/Agent.9C55!tr\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 14 of 15\n\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the\r\nFortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are\r\nprotected.\r\nThe FortiGuard Web Filtering Service blocks the C2 server.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard\r\nIncident Response Team.\r\nIOCs\r\nC2:\r\n95[.]164[.]23[.]2\r\nFiles:\r\n17d95ec93678b0a73e984354f55312dda9e6ae4b57a54e6d57eb59bcbbe3c382\r\n23982d2d2501cfe1eb931aa83a4d8dfe922bce06e9c327a9936a54a2c6d409ae\r\n9eaf7231579ab0cb65794043affb10ae8e4ad8f79ec108b5302da2f363b77c93\r\nda18e6dcefe5e3dac076517ac2ba3fd449b6a768d9ce120fe5fc8d6050e09c55\r\n2e3e5642106ffbde1596a2335eda84e1c48de0bf4a5872f94ae5ee4f7bffda39\r\n80f4803c1ae286005a64ad790ae2d9f7e8294c6e436b7c686bd91257efbaa1e5\r\n21675edce1fdabfee96407ac2683bcad0064c3117ef14a4333e564be6adf0539\r\n4a23054c2241e20aec97c9b0937a37f63c30e321be01398977e13228fa980f29\r\nSource: https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nhttps://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros\r\nPage 15 of 15\n\nLokiBot is specifically FTP, email, and designed numerous software to gather sensitive tools installed information on the compromised from various sources, system. Analyzing including web the C2 traffic browsers, to\n“95[.]164[.]23[.]2/swe/h/pin[.]php”  in Figure 13, we determined that the version is 0x0012 and the notable Binary\nID is “ckav[.]ru”. As this version of LokiBot has remained unchanged since March, we will only highlight its\nmajor components and features.     \n   Page 11 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros"
	],
	"report_names": [
		"lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros"
	],
	"threat_actors": [],
	"ts_created_at": 1775434473,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb1b509f70a9dbf4a8af3b04f6b034700496a929.pdf",
		"text": "https://archive.orkl.eu/cb1b509f70a9dbf4a8af3b04f6b034700496a929.txt",
		"img": "https://archive.orkl.eu/cb1b509f70a9dbf4a8af3b04f6b034700496a929.jpg"
	}
}