{ "id": "79a9ba9c-4186-4d9f-aa9c-31455ac0b149", "created_at": "2026-04-06T00:10:33.197263Z", "updated_at": "2026-04-10T13:12:52.536194Z", "deleted_at": null, "sha1_hash": "f0f03325833a2ce48c215586a17041a94c4818eb", "title": "Trojan:W32/Lokibot | F-Secure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 103247, "plain_text": "Trojan:W32/Lokibot | F-Secure\r\nArchived: 2026-04-05 18:39:04 UTC\r\nClassification\r\nAliases:\r\nTrojan.TR/AD.LokiBot, Fareit\r\nSummary\r\nLokibot is a password/info-stealing malware, delivered through malware spam (malspam) campaigns, and notably\r\nknown for the wide range of applications that it targets.\r\nRemoval\r\nAutomatic action\r\nBased on the settings of your F-Secure security product, it will either move the file to the quarantine where it\r\ncannot spread or cause harm, or remove it.\r\nA False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles\r\nknown harmful programs. A False Positive will usually be fixed in a subsequent database update without any\r\naction needed on your part. If you wish, you may also:\r\nCheck for the latest database updates\r\nFirst, check if your F-Secure security program is using the latest updates, then try scanning the file again.\r\nSubmit a sample\r\nAfter checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.\r\nNote: If the file was moved to quarantine, you need to collect the file from quarantine before you can\r\nsubmit it.\r\nExclude a file from further scanning\r\nIf you are certain that the file is safe and want to continue using it, you can exclude it from further scanning\r\nby the F-Secure security product.\r\nNote: You need administrative rights to change the settings.\r\nTechnical Details\r\nhttps://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml\r\nPage 1 of 7\n\nInfection vector\r\nLokibot is commonly delivered through malicious spam (malspam) campaigns. There are numerous ways that the\r\npayload has been seen to be delivered through these spam mails:\r\nLokibot has been witnessed to exploit certain vulnerabilities in some of these attachment file formats, notably\r\nCVE-2017-11882, CVE-2018-0802, and CVE-2018-20250.\r\nFiles \u0026 Mutexes\r\nLokibot ensures that only a single instance of the malware is running on an infected system by creating a mutex.\r\nThe mutex string is computed as the MD5 hash of the MachineGUID (obtained through registry).\r\nAdditionally, Lokibot creates a folder which contains multiple files. The folder path is %AppData%/\r\n\u003cMD5_MACHINEGUID\u003e[7:12]/.\r\nThe folder contains:\r\nData Stealing\r\nThis malware is notably known for stealing credentials from browsers, mail clients, file sharing programs, remote\r\nconnection programs, and more. It also contains a keylogger component, which can be utilized by the malefactor.\r\nLokibot is capable of stealing data from the following applications:\r\n1Password\r\n32BitFtp\r\n360Browser\r\nAbleFTP\r\nAutomize7\r\nBitKinex\r\nBitvise\r\nBlazeFTP\r\nCatalina Group Citrio\r\nCheckMail\r\nChromium\r\nCốc Cốc\r\nComodo Chromodo\r\nComodo Dragon\r\nComodo IceDragon\r\nCoowon\r\nCyberduck\r\nCyberfox\r\nDeluxeFTP\r\nEasyFTP\r\nEnPass\r\nhttps://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml\r\nPage 2 of 7\n\nEpic Privacy Browser\r\nEstsoft ALFTP\r\nExpanDrive\r\nFAR Manager\r\nFasteam NETFile\r\nFileZilla\r\nFlashFXP\r\nFossaMail\r\nFoxmail\r\nFreshFTP\r\nFTP Navigator\r\nFTP Now\r\nFTPBox\r\nFTPGetter\r\nFtpInfo\r\nFTPShell\r\nFullSync\r\nGhisler Total Commander\r\nGmailNotifierPro\r\nGoFTP\r\nGoogle Chrome\r\nGoogle Chrome SxS\r\nIncrediMail\r\nInternet Explorer\r\nIpswitch\r\nIridium\r\nJaSFTP\r\nKeePass\r\nKiTTY\r\nK-Meleon\r\nLinasFTP\r\nLunascape\r\nMaple\r\nMaple Studio ChromePlus\r\nMikroTik Winbox\r\nMozilla Flock\r\nMozilla SeaMonkey\r\nmSecure\r\nMustang Browser\r\nNCH ClassicFTP\r\nNCH Fling\r\nNetDrive\r\nhttps://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml\r\nPage 3 of 7\n\nNETGATE BlackHawk\r\nNetSarang XFTP\r\nNexusFile\r\nNichrome\r\nNoteFly\r\nNotezilla\r\nNovaFTP\r\nNppFTP\r\nOdin Secure FTP Expert\r\nOpera\r\nOpera Mail\r\nOpera Next\r\nOrbitum\r\nOutlook\r\noZone3D MyFTP\r\nPale Moon\r\nPidgin\r\nPocomail\r\nPostbox\r\nPuTTY\r\nQtWeb\r\nQupZilla\r\nRealVNC\r\nRoboForm\r\nRockmelt\r\nSafari\r\nSecureFX\r\nSftpNetDrive\r\nsherrod FTP\r\nSleipnir\r\nSmartFTP\r\nSpark\r\nStaff-FTP\r\nSteed\r\nstickies\r\nStickyNotes\r\nSuperbird\r\nSuperPutty\r\nSyncovery\r\nTitan\r\nTo-Do DeskList\r\nTorch\r\nhttps://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml\r\nPage 4 of 7\n\nTrojit\r\nTrulyMail\r\nUltraFXP\r\nVivaldi\r\nWaterfox\r\nWinChips\r\nWinFtp Client\r\nWinSCP\r\nWS_FTP\r\nYandex Browser\r\nyMail\r\nNetwork Activity\r\nThe payload initiates a communication with the C\u0026C server to exfiltrate the stolen data and receive commands.\r\nBesides the stolen data, it sends the Windows product name and version, username, computer name, and domain\r\nname to the C\u0026C server.\r\nLokibot is most commonly seen to send a POST request to \u003cDOMAIN\u003e/subdir/subdir1/../fre[.]php, although other\r\nless-common patterns have also been observed in the wild (e.g. \u003cDOMAIN\u003e/subdir/subdir1/cat[.]php).\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nAnalysis on file: 55589f10cbf2e9efa809a09c9d75bd8ff6aacd16\r\nProtect your devices from malware with F‑Secure Total\r\nProtecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes\r\nthis easy, helping you to secure your devices in a brilliantly simple way.\r\nAward-winning antivirus and malware protection\r\nOnline browsing, banking, and shopping protection\r\n24/7 online identity and data breach monitoring\r\nUnlimited VPN service to safeguard your privacy\r\nPassword manager with private data protection\r\nChoose how many devices you want to protect to get started.\r\nhttps://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml\r\nPage 5 of 7\n\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €69.99.\r\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €89.99.\r\nhttps://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml\r\nPage 6 of 7\n\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €99.99.\r\nMore Support\r\nContact Support\r\nChat with with or call an agent.\r\nSource: https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml\r\nhttps://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml" ], "report_names": [ "trojan_w32_lokibot.shtml" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434233, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f0f03325833a2ce48c215586a17041a94c4818eb.pdf", "text": "https://archive.orkl.eu/f0f03325833a2ce48c215586a17041a94c4818eb.txt", "img": "https://archive.orkl.eu/f0f03325833a2ce48c215586a17041a94c4818eb.jpg" } }