{
	"id": "2cb41c9c-e606-4ae9-9d4d-423c812d724c",
	"created_at": "2026-04-06T00:12:41.659655Z",
	"updated_at": "2026-04-10T03:20:27.582541Z",
	"deleted_at": null,
	"sha1_hash": "ddbd5d0ccec176cb50f797e7d36f3c8238e3182b",
	"title": "dissecting the C\u0026C panel deployments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 749793,
	"plain_text": "dissecting the C\u0026C panel deployments\r\nArchived: 2026-04-05 16:48:05 UTC\r\nAditya K Sood\r\nIntroduction\r\nFirst advertised as an information stealer and keylogger when it appeared in underground forums in 2015, LokiBot\r\nhas added various capabilities over the years and has affected many users worldwide. LokiBot is deployed as a\r\nbotnet, where a number compromised systems installed with the malware connect with command-and-control\r\n(C\u0026C) servers in order to send stolen data and receive commands from the botnet operator.\r\nLokiBot has been distributed via phishing campaigns that include malicious attachments or embedded URLs [1].\r\nMore recently it has also been found to hide its source code in image files [2], using the technique known as\r\nsteganography. LokiBot installs itself via a downloaded zipped file, which is deleted (in order to avoid detection)\r\nonce the system has been infected. The malware steals credentials from the compromised system. The stolen data\r\nis compressed and exfiltrated via an HTTP channel to a C\u0026C panel.\r\nIn this research, we conducted an analysis of the URL structure of the LokiBot C\u0026C panels and how these have\r\nevolved over time, concentrating on the C\u0026C panel entry points. In this paper the ‘entry point’ refers to the web\r\naccess point used by the botnet operator to manage the botnet. This is basically a PHP web-based C\u0026C panel\r\ncomponent that gives the botnet operator administrator capabilities. We also highlight the gate component that is\r\nused as an entry point for the bots to communicate and transmit data. The gate can be considered one of the\r\nprimary components of the C\u0026C panel design because it provides gateway and filtering functionalities. In the\r\nmajority of cases the gate component resides on the same server as the C\u0026C panel, but it can be configured or\r\nchanged accordingly.\r\nThe aim of this research is to build intelligence for detection and prevention solutions including security analytics.\r\nLokiBot C\u0026C panel: characteristics\r\nIn this section we look at the characteristics of the LokiBot C\u0026C panel. A number of pointers are provided below:\r\nThe LokiBot C\u0026C panel is designed to use HTTP protocol as its communication mechanism.\r\nThe C\u0026C panel is entirely developed using PHP. The LokiBot C\u0026C panel v3.0 base is built using PHP,\r\nwhich is used in conjunction with C++ and C# (the malware is written in these languages).\r\nThe LokiBot C\u0026C panel consists of two main components: the main administrative panel used by the\r\nbotnet operator to administer the botnet, and the gate component that provides filtering capabilities so that\r\ndata received from the compromised systems can be examined and bots can be verified. Other components\r\nare developed to ease the handling and management of stolen data from the compromised machines. (The\r\nC\u0026C panel components are discussed in detail in the next section.)\r\nhttps://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/\r\nPage 1 of 9\n\nThe data exfiltrated from the compromised endpoints is sent to the C\u0026C panel in a compressed format over\r\nHTTP. The data is received by the gate component, which validates the authenticity of the data by checking\r\nthe identity of the bot before the data is processed by the backend database and retrieved by the main C\u0026C\r\npanel for the botnet operator to use it.\r\nLokiBot transmits data in zipped format and data log files are decrypted using a custom encryption and\r\ndecryption algorithm that is used in conjunction with a Base-64 encoding/decoding mechanism.\r\nThe LokiBot C\u0026C panel can be deployed with anti‑automation mechanisms to restrict account cracking\r\nattempts over HTTP. For that, a CAPTCHA is supported by the C\u0026C panel. Figure 1 shows an example of\r\na LokiBot C\u0026C panel with CAPTCHA implementation; Figure 2 shows an example of a LokiBot C\u0026C\r\npanel without CAPTCHA implementation.\r\nFigure 1: LokiBot C\u0026C panel with CAPTCHA.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/\r\nPage 2 of 9\n\nFigure 2: LokiBot C\u0026C panel without CAPTCHA.\r\nLokiBot C\u0026C panel: components\r\nThe basic structure of the LokiBot C\u0026C panel with all the related components is outlined in Table 1.\r\nS.\r\nNo\r\nComponent Details\r\n1 index.php\r\nMain landing page of the C\u0026C panel from where access is granted to the botnet\r\noperator.\r\n2 gate.php\r\nIntermediate proxy component that acts as an interface between the main C\u0026C panel\r\nand the bots running on the compromised machines.\r\n3 functions.php\r\nSupporting functions such as error_reporting, base64Decrypt and traffic_decrypt are\r\ndefined in this component.\r\n4 install.php\r\nWeb component used to effectively deploy the C\u0026C panel before spreading\r\ninfections. The component installs the backend database, etc. to handle the stolen\r\ndata, providing search capability, configuration tasks for the loader and others.\r\n5 settings.php\r\nThis component configures the settings of the C\u0026C panel including error handling,\r\nauthentication, authorization, database configuration and others.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/\r\nPage 3 of 9\n\n6 auth.php\r\nThis is the module deployed to configure the authentication for the C\u0026C panel\r\nincluding how the gate authenticates itself to the C\u0026C panel before storing stolen\r\ndata in the database.\r\n7 viewer.php\r\nThis component provides viewing capability to the botnet operator in the C\u0026C panel\r\nso that data management is easy.\r\n8 converter.php\r\nThis component provides converting capabilities to handle data in more efficient\r\nways. For example, NetScapeToJson is used to convert cookies to JSON format.\r\n9 search.php\r\nThis component provides a search capability to enable the botnet operator to search\r\nfor and find specific data from the dump of stolen information stored in the backend\r\ndatabase.\r\n10 loader.php\r\nThis component is used to load the stolen data from the infected machines that is\r\ntransferred by the gate component into the database and keep updating the records.\r\nThis component also loads data from the database to the main C\u0026C panel.\r\n11 logs/ Folder used to store logs about stolen data and system-related errors.\r\n12 tmp/\r\nTemporary folder used to store the modules that are not required after installation of\r\nthe C\u0026C panel.\r\n13 stealer/\r\nFolder used to store a text file that defines the rules for the bot to steal data from\r\nspecific URLs and domains. The file is passed to the bot running on the\r\ncompromised system.\r\n14 assets/\r\nFolder used to store modules related to GeoIP, CSS for effective managing and laying\r\nout of data in the C\u0026C panel.\r\nTable 1: LokiBot C\u0026C panel modules and components.\r\nThe LokiBot C\u0026C panel uses a gate component [3], which is written in PHP. Listing 1 shows how the LokiBot\r\ngate component extracts the source IP of the bot from which the connection is initiated. The extracted and\r\nanalysed headers from the incoming HTTP traffic are presented below:\r\nX-Forwarded-For (or X-Forwarded-IP) shows that the source IP address is behind a proxy or a load\r\nbalancer.\r\nHTTP_CF_CONNECTING_IP shows that the source IP address is behind the Cloudflare Content Delivery\r\nNetwork (CDN).\r\nX-ProxyUser-IP shows that the source IP address is behind Google Services.\r\nX-Real-IP shows that the source IP address is behind a load balancer.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/\r\nPage 4 of 9\n\nListing 1: Module used by LokiBot for C\u0026C authentication.\r\nListing 2 shows the basic authentication that can be configured to access the C\u0026C panel. Form-based\r\nauthentication is also supported.\r\nListing 2: Module used by LokiBot for C\u0026C authentication.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/\r\nPage 5 of 9\n\nListing 3 shows how LokiBot decrypts the log files that are received from the compromised systems. The log file\r\nis decoded (or decrypted) using the ‘base64Decrypt’ function. The zipped file is extracted and passed to the\r\n‘TRAFFIC_DECRYPT’ function, which decrypts the file to retrieve the stolen data. Once that operation is\r\nperformed, a clean zip file containing the stolen data is created and then stored in the directory.\r\nListing 3: Module used by LokiBot for C\u0026C authentication.\r\nListing 4 shows the support functions that are defined in the functions.php file. The ‘base64Decrypt’ and\r\n‘TRAFFIC_DECRYPT’ functions highlight how the data decryption routines are handled in the C\u0026C panel.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/\r\nPage 6 of 9\n\nListing 4: Module used by LokiBot for C\u0026C authentication.\r\nIn the next section we discuss the result of the empirical analysis performed to analyse C\u0026C panel URLs.\r\nEmpirical analysis: C\u0026C deployments\r\nWe looked into 1,960 different LokiBot C\u0026C panel URLs deployed in real time. All the deployments of the C\u0026C\r\npanels were using PHP as the main component. The complete URLs comprised both domain names and IP\r\naddresses. Generally, IP addresses are used in C\u0026C panels to avoid DNS queries so that DNS traffic can be\r\navoided from the compromised endpoint. This way, the endpoints can connect directly with the C\u0026C panel by\r\ninitiating the connection to IP address. The data analysis was performed on the primary C\u0026C panel component,\r\ni.e. the main entry PHP web page that is used by the botnet operator to administer the botnet.\r\nTable 2 highlights the C\u0026C components utilizing the PHP page as the entry point for the botnet operators to\r\nmanage the LokiBot instances in the real world. Table 3 highlights the percentage layout of the LokiBot C\u0026C\r\nentry points deployed in real time.\r\nLokiBot C\u0026C entry point Server-side language: C\u0026C panel Usage\r\n‘PvqDq929BSx_A_D_M1n_a.php’ PHP 1,861\r\n‘pen.php’ PHP 31\r\n‘desk.php’ PHP 18\r\n‘omc.php’ PHP 12\r\nhttps://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/\r\nPage 7 of 9\n\n‘uMc.php’ PHP 17\r\n‘sand.php’ PHP 03\r\n‘Pvq.php’ PHP 12\r\n‘cs.php’ PHP 04\r\n‘loki.php’ PHP 02\r\nTable 2: Deployed LokiBot C\u0026C instances.\r\nLokibot C\u0026C entry point Percentage\r\n‘PvqDq929BSx_A_D_M1n_a.php’ 94.95%\r\n‘pen.php’ 1.58%\r\n‘desk.php’ 0.92%\r\n‘omc.php’ 0.61%\r\n‘uMc.php’ 0.87%\r\n‘sand.php’ 0.15%\r\n‘Pvq.php’ 0.61%\r\n‘cs.php’ 0.20%\r\n‘loki.php’ 0.10%\r\nTable 3: Percentage analysis of total instances of LokiBot C\u0026C panels.\r\nThe details presented here highlight the different entry points that are configured for LokiBot C\u0026C panel\r\ncommunication.\r\nInferences\r\n1. Approximately 95% of LokiBot deployments in real time use ‘PvqDq929BSx_A_D_M1n_a.php’ as the\r\nmain entry point.\r\n2. The ‘admin’ in the string ‘PvqDq929BSx_A_D_M1n_a.php’ is represented as ‘_A_D_M1n_a.php’ to avoid\r\nstandard-level detections that analyse basic URL structure.\r\n3. The other C\u0026C entry points – ‘desk.php’, ‘sand.php’, ‘omc.php’, ‘uMc.php’, etc. – represent just 5% of the\r\ndataset chosen for analysis, which shows that an obfuscated string is preferred in the resource naming for\r\nthe C\u0026C entry point.\r\n4. The majority of the LokiBot C\u0026C deployments are configured over HTTP without TLS, i.e. a non‑HTTPS\r\nchannel is used for communication. As a result, all the communication can be seen over an unencrypted\r\nhttps://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/\r\nPage 8 of 9\n\nchannel. LokiBot does provide HTTPS support but it has to be configured explicitly.\r\n5. From the compromised machines, the stolen data transmitted by the bot is received by the gate component\r\nfirst, which analyses the data to verify the authenticity of the bot. Once the bot identity is established, the\r\nstolen data is transmitted to the backend storage so that it can be analysed and accessed in the C\u0026C panel.\r\nConclusion\r\nConducting an empirical analysis of LokiBot’s C\u0026C structure helps to build intelligence that can be used to\r\nenhance the detection and prevention efficacy of security solutions. It also helps to unearth the advancements in\r\ntechniques used by the attackers to trigger infections and steal data.\r\nReferences\r\n[1] Newly Discovered Infostealer Attack Uses LokiBot. Fortinet. https://www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot.html.\r\n[2] LokiBot malware now hides its source code in image files. ZDNet. https://www.zdnet.com/article/lokibot-information-stealer-now-hides-malware-in-image-files/.\r\n[3] Sood, A.K.; Bansal, R. Prosecting the Citadel botnet – revealing the dominance of the Zeus descendent: part\r\none. https://www.virusbulletin.com/virusbulletin/2014/09/prosecting-citadel-botnet-revealing-dominance-zeus-descendent-part-one.\r\nSource: https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/\r\nhttps://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/"
	],
	"report_names": [
		"lokibot-dissecting-cc-panel-deployments"
	],
	"threat_actors": [],
	"ts_created_at": 1775434361,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ddbd5d0ccec176cb50f797e7d36f3c8238e3182b.pdf",
		"text": "https://archive.orkl.eu/ddbd5d0ccec176cb50f797e7d36f3c8238e3182b.txt",
		"img": "https://archive.orkl.eu/ddbd5d0ccec176cb50f797e7d36f3c8238e3182b.jpg"
	}
}