{ "id": "bdd1fc62-60c5-428e-9823-77e323727474", "created_at": "2026-04-06T00:22:21.6713Z", "updated_at": "2026-04-10T13:12:56.843917Z", "deleted_at": null, "sha1_hash": "eeb64eb0aaf7f8be217a6f44d3fc986acbe390ec", "title": "LokiBot Malware | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 100177, "plain_text": "LokiBot Malware | CISA\r\nPublished: 2020-10-24 · Archived: 2026-04-05 13:19:16 UTC\r\nSummary\r\nThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) framework.\r\nSee the ATT\u0026CK for Enterprise frameworks for all referenced threat actor techniques.\r\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by\r\nthe Multi-State Information Sharing \u0026 Analysis Center (MS-ISAC) .\r\nCISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020.\r\nThroughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive\r\nbranch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an\r\nattractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.\r\nTechnical Details\r\nLokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive\r\ninformation such as usernames, passwords, cryptocurrency wallets, and other credentials.\r\nThe malware steals credentials through the use of a keylogger to monitor browser and desktop activity\r\n(Credentials from Password Stores [T1555 ]).\r\n(Credentials from Password Stores: Credentials from Web Browsers [T1555.003 ])\r\n(Input Capture: Keylogging [T1056.001 ])\r\nLokiBot can also create a backdoor into infected systems to allow an attacker to install additional payloads\r\n(Event Triggered Execution: Accessibility Features [T1546.008 ]).\r\nMalicious cyber actors typically use LokiBot to target Windows and Android operating systems and\r\ndistribute the malware via email, malicious websites, text, and other private messages (User Execution:\r\nMalicious File [T1204.002 ]). See figure 1 for enterprise techniques used by LokiBot.\r\nFigure 1: MITRE ATT\u0026CK enterprise techniques used by LokiBot\r\nSince LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications,\r\nincluding the following.\r\nFebruary 2020: Trend Micro identified cyber actors using LokiBot to impersonate a launcher for Fortnite\r\n—a popular video game.[1 ]\r\nAugust 2019: FortiGuard SE researchers discovered a malspam campaign distributing LokiBot\r\ninformation-stealing payloads in spearphishing attack on a U.S. manufacturing company.[2 ]\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-266a\r\nPage 1 of 5\n\nAugust 2019: Trend Micro researchers reported LokiBot malware source code being hidden in image files\r\nspread as attachments in phishing emails.[3 ]\r\nJune 2019: Netskope uncovered LokiBot being distributed in a malspam campaign using ISO image file\r\nattachments.[4 ]\r\nApril 2019: Netskope uncovered a phishing campaign using malicious email attachments with LokiBot\r\nmalware to create backdoors onto infected Windows systems and steal sensitive information.[5 ]\r\nFebruary 2018: Trend Micro discovered CVE-2017-11882 being exploited in an attack using Windows\r\nInstaller service to deliver LokiBot malware.[6 ]\r\nOctober 2017: SfyLabs identified cyber actors using LokiBot as an Android banking trojan that turns into\r\nransomware.[7 ]\r\nMay 2017: Fortinet reported malicious actors using a PDF file to spread a new LokiBot variant capable of\r\nstealing credentials from more than 100 different software tools.[8 ]\r\nMarch 2017: Check Point discovered LokiBot malware found pre-installed on Android devices.[9 ]\r\nDecember 2016: Dr.Web researchers identified a new LokiBot variant targeting Android core libraries.[10\r\n]\r\nFebruary 2016: Researchers discovered the LokiBot Android Trojan infecting the core Android operating\r\nsystem processes.[11]\r\nMITRE ATT\u0026CK Techniques\r\nAccording to MITRE, LokiBot uses the ATT\u0026CK techniques listed in table 1.\r\nTable 1: LokiBot ATT\u0026CK techniques\r\nTechnique Use\r\nSystem Network Configuration\r\nDiscovery [T1016 ]\r\nLokiBot has the ability to discover the domain name of the infected\r\nhost.\r\nObfuscated Files or Information\r\n[T1027 ]\r\nLokiBot has obfuscated strings with base64 encoding.\r\nObfuscated Files or Information:\r\nSoftware Packing [T1027.002 ]\r\nLokiBot has used several packing methods for obfuscation.\r\nSystem Owner/User Discovery\r\n[T1033 ]\r\nLokiBot has the ability to discover the username on the infected host.\r\nExfiltration Over C2 Channel\r\n[T1041 ]\r\nLokiBot has the ability to initiate contact with command and control to\r\nexfiltrate stolen data.\r\nProcess Injection: Process\r\nHollowing [T1055.012 ]\r\nLokiBot has used process hollowing to inject into legitimate Windows\r\nprocess vbc.exe.\r\nInput Capture: Keylogging\r\n[T1056.001 ]\r\nLokiBot has the ability to capture input on the compromised host via\r\nkeylogging.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-266a\r\nPage 2 of 5\n\nTechnique Use\r\nApplication Layer Protocol: Web\r\nProtocols [T1071.001 ]\r\nLokiBot has used Hypertext Transfer Protocol for command and\r\ncontrol.\r\nSystem Information Discovery\r\n[T1082 ]\r\nLokiBot has the ability to discover the computer name and Windows\r\nproduct name/version.\r\nUser Execution: Malicious File\r\n[T1204.002 ]\r\nLokiBot has been executed through malicious documents contained in\r\nspearphishing emails.\r\nCredentials from Password Stores\r\n[T1555 ]\r\nLokiBot has stolen credentials from multiple applications and data\r\nsources including Windows operating system credentials, email clients,\r\nFile Transfer Protocol, and Secure File Transfer Protocol clients.\r\nCredentials from Password Stores:\r\nCredentials from Web Browsers\r\n[T1555.003 ]\r\nLokiBot has demonstrated the ability to steal credentials from multiple\r\napplications and data sources including Safari and Chromium and\r\nMozilla Firefox-based web browsers.\r\nHide Artifacts: Hidden Files and\r\nDirectories [T1564.001 ]\r\nLokiBot has the ability to copy itself to a hidden file and directory.\r\nDetection\r\nSignatures\r\nCISA developed the following Snort signature for use in detecting network activity associated with LokiBot\r\nactivity.\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"Lokibot:HTTP URI POST contains '/*/fre.php' post-infection\";\r\nflow:established,to_server; flowbits:isnotset,.tagged; content:\"/fre.php\"; http_uri; fast_pattern:only; urilen:\r\n\u003c50,norm; content:\"POST\"; nocase; http_method;\r\npcre:\"/\\/(?:alien|loky\\d|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll\\/NW|wrk|job|five\\d?\r\n|donemy|animation\\dkc|love|Masky|v\\d|lifetn|Ben)\\/fre\\.php$/iU\"; flowbits:set,.tagged;classtype:http-uri;\r\nmetadata:service http; metadata:pattern HTTP-P001,)\r\nMitigations\r\nCISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and\r\nnetwork administrators consider applying the following best practices to strengthen the security posture of their\r\norganization's systems. System owners and administrators should review any configuration changes prior to\r\nimplementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.\r\nKeep operating system patches up to date. See Understanding Patches and Software Updates.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-266a\r\nPage 3 of 5\n\nDisable file and printer sharing services. If these services are required, use strong passwords or Active\r\nDirectory authentication.\r\nEnforce multi-factor authentication. See Supplementing Passwords for more information.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to\r\nthe local administrators’ group unless required.\r\nEnforce a strong password policy. See Choosing and Protecting Passwords.\r\nExercise caution when opening email attachments, even if the attachment is expected and the sender\r\nappears to be known. See Using Caution with Email Attachments.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\"\r\n(i.e., the extension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\r\nScan all software downloaded from the internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate access control lists.\r\nVisit the MITRE ATT\u0026CK Techniques pages (linked in table 1 above) for additional mitigation and\r\ndetection strategies.\r\nFor additional information on malware incident prevention and handling, see the National Institute of Standards\r\nand Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops\r\nand Laptops.\r\nResources\r\nCenter for Internet Security Security Event Primer – Malware: https://www.cisecurity.org/white-papers/security-event-primer-malware/\r\nMITRE ATT\u0026CK – LokiBot: https://attack.mitre.org/software/S0447/\r\nMITRE ATT\u0026CK for Enterprise: https://attack.mitre.org/matrices/enterprise/\r\nReferences\r\n[1] Trend Micro: LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File\r\n[2] Fortinet: Newly Discovered Infostealer Attack Uses LokiBot\r\n[3] ZDNet: LokiBot Malware Now Hides its Source Code in Image Files\r\n[4] SecurityWeek: LokiBot and NanoCore Malware Distributed in ISO Image Files\r\n[5] Netskope: LokiBot \u0026 NanoCore being distributed via ISO disk image files\r\n[6] Trend Micro: Attack Using Windows Installer Leads to LokiBot\r\n[7] BleepingComputer: LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-266a\r\nPage 4 of 5\n\n[8] Fortinet: New Loki Variant Being Spread via PDF File\r\n[9] Check Point: Preinstalled Malware Targeting Mobile Users\r\n[10] BleepingComputer: Loki Trojan Infects Android Libraries and System Process to Get Root Privileges\r\n[11] New Jersey Cybersecurity \u0026 Communications Integration Cell: LokiBot \r\nRevisions\r\nSeptember 22, 2020: Initial Version|September 23, 2020: Added hyperlink to MS-ISAC\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-266a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-266a\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa20-266a" ], "report_names": [ "aa20-266a" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434941, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eeb64eb0aaf7f8be217a6f44d3fc986acbe390ec.pdf", "text": "https://archive.orkl.eu/eeb64eb0aaf7f8be217a6f44d3fc986acbe390ec.txt", "img": "https://archive.orkl.eu/eeb64eb0aaf7f8be217a6f44d3fc986acbe390ec.jpg" } }