{ "id": "1cbcba18-5836-44b1-a6c7-dcdf5a113a94", "created_at": "2026-04-06T00:11:58.363996Z", "updated_at": "2026-04-10T03:34:01.008645Z", "deleted_at": null, "sha1_hash": "e96f8e0472f2140620960be0092c7631f0b8c583", "title": "Loda (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52091, "plain_text": "Loda (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:36:25 UTC\r\nwin.loda (Back to overview)\r\nLoda\r\naka: LodaRAT, Nymeria\r\nURLhaus      \r\nLoda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims.\r\nProofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is\r\nderived from a directory to which the malware author chose to write keylogger logs. It should be noted that some\r\nantivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.\r\nReferences\r\n2023-10-25 ⋅ Cisco Talos ⋅ Asheer Malhotra, Vitor Ventura\r\nKazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan\r\nAve Maria Loda YoroTrooper\r\n2023-03-14 ⋅ Cisco Talos ⋅ Asheer Malhotra, Vitor Ventura\r\nTalos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency\r\nPoet RAT Loda Kasablanka YoroTrooper\r\n2023-01-17 ⋅ Qianxin ⋅ Red Raindrop Team\r\nKasablanka Group Probably Conducted Compaigns Targeting Russia\r\nAve Maria Loda\r\n2022-11-17 ⋅ Cisco Talos ⋅ Chris Neal\r\nGet a Loda This: LodaRAT meets new friends\r\nLoda Kasablanka\r\n2022-08-18 ⋅ Proofpoint ⋅ Joe Wise, Proofpoint Threat Research Team, Selena Larson\r\nReservations Requested: TA558 Targets Hospitality and Travel\r\nAsyncRAT Loda NjRAT Ozone RAT Revenge RAT Vjw0rm\r\n2022-08-17 ⋅ ⋅ 360 ⋅ 360 Threat Intelligence Center\r\nKasablanka organizes attacks against political groups and non-profit organizations in the Middle East\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.loda\r\nPage 1 of 2\n\nSpyNote Loda Nanocore RAT NjRAT\r\n2021-02-15 ⋅ Silent Push ⋅ Martijn Grooten\r\nMore LodaRAT infrastructure targeting Bangladesh uncovered\r\nLoda\r\n2021-02-09 ⋅ Talos ⋅ Chris Neal, Vitor Ventura, Warren Mercer\r\nKasablanka Group's LodaRAT improves espionage capabilities on Android and Windows\r\nLoda\r\n2020-09-29 ⋅ Cisco Talos ⋅ Chris Neal\r\nLodaRAT Update: Alive and Well\r\nLoda\r\n2020-02-12 ⋅ Cisco Talos ⋅ Chris Neal\r\nLoda RAT Grows Up\r\nLoda\r\n2018-01-23 ⋅ Zerophage\r\nMaldoc (RTF) drops Loda Logger\r\nLoda\r\n2017-05-10 ⋅ Proofpoint ⋅ Proofpoint Staff\r\nIntroducing Loda Malware\r\nLoda\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.loda\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.loda\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda" ], "report_names": [ "win.loda" ], "threat_actors": [ { "id": "c416152c-d268-40a3-8887-01d2ec452b7c", "created_at": "2023-04-27T02:04:45.481771Z", "updated_at": "2026-04-10T02:00:04.987067Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Silent Lynx" ], "source_name": "ETDA:YoroTrooper", "tools": [ "Loda", "Loda RAT", "LodaRAT", "Meterpreter", "Nymeria", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "d4135989-e577-4133-bdae-a24243c832a4", "created_at": "2023-11-05T02:00:08.068657Z", "updated_at": "2026-04-10T02:00:03.396218Z", "deleted_at": null, "main_name": "Kasablanka", "aliases": [], "source_name": "MISPGALAXY:Kasablanka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "322248d6-4baf-4ada-af8e-074bc6c10132", "created_at": "2023-11-05T02:00:08.072145Z", "updated_at": "2026-04-10T02:00:03.397406Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Comrade Saiga", "Salted Earth", "Sturgeon Fisher", "ShadowSilk", "Silent Lynx", "Cavalry Werewolf", "SturgeonPhisher" ], "source_name": "MISPGALAXY:YoroTrooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434318, "ts_updated_at": 1775792041, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e96f8e0472f2140620960be0092c7631f0b8c583.pdf", "text": "https://archive.orkl.eu/e96f8e0472f2140620960be0092c7631f0b8c583.txt", "img": "https://archive.orkl.eu/e96f8e0472f2140620960be0092c7631f0b8c583.jpg" } }