Skip to content
Malware family Windows

Lokibot

LokiBot is a long-running commodity information stealer first advertised in 2015 and later proliferated through multiple forks after its source code leaked in 2018.

Profile source: Mallory opens in a new tab

Lokibot

Family profile

LokiBot is a long-running commodity information stealer first advertised in 2015 and later proliferated through multiple forks after its source code leaked in 2018. It is primarily known for credential theft from a broad set of Windows applications, including web browsers, email clients, FTP and SFTP software, Windows credential sources, and in some variants cryptocurrency-related applications. Some reporting also attributes keylogging and expanded remote-access-style functionality to later forks, but its core role remains credential harvesting and data exfiltration.

LokiBot is commonly delivered through phishing and malspam campaigns, often using malicious attachments such as JScript, spreadsheet, or other document-based lures that rely on user execution or enabling active content. Observed campaigns have used multi-stage loaders involving obfuscated script stages, PowerShell, in-memory .NET components, and process injection into legitimate Windows processes to launch the final payload while reducing detection. LokiBot has also appeared as a payload delivered by other malware distribution services and loaders, including steganography-enabled campaigns and shellcode-based downloaders.

On infected Windows systems, LokiBot has demonstrated runtime API resolution, mutex-based single-instance control, copying itself into hidden files or directories, registry modification associated with UAC bypass or Run-key persistence attempts, and outbound communication with command-and-control infrastructure to transmit stolen data. Collected information is compressed before exfiltration in some variants. LokiBot also performs host profiling such as username discovery and has been observed using PowerShell during execution chains. Updated variants have used steganographic techniques to conceal code within image files.

LokiBot has remained prevalent for years because of its low cost, accessibility to lower-skill operators, and effectiveness in account theft operations. It has been associated with broad cybercrime activity rather than a single exclusive operator, including use in phishing-heavy ecosystems such as those linked to SilverTerrier and TA558. It continues to target organizations and individuals opportunistically across sectors wherever stolen credentials can be monetized.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Keylogging
  • Persistence
  • Process Injection
  • Reconnaissance

Reported operators

Threat actors

4 named in public reporting
TA558

[👽TA] TA558 (🏴): Steganography using other malwares (AgentTesla, FormBook, Remcos, LokiBot, GuLoader or XWorm)

SilverTerrier

The info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).

TMT

The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.

RATicate

"...we found several different families of RATs and infostealers. These included Lokibot, Betabot, Formbook, and AgentTesla."

Exploited software

Vulnerabilities linked to Lokibot

2 CVEs

MITRE ATT&CK

Lokibot in ATT&CK

60 distinct techniques

Techniques

60 techniques
T1596.001 DNS/Passive DNS T1596.005 Scan Databases T1082 System Information Discovery T1112 Modify Registry T1548.002 Bypass User Account Control T1027.003 Steganography T1027.007 Dynamic API Resolution T1218 System Binary Proxy Execution T1027 Obfuscated Files or Information T1059.007 JavaScript T1547.001 Registry Run Keys / Startup Folder T1055 Process Injection T1555 Credentials from Password Stores T1573 Encrypted Channel T1059.001 PowerShell T1568.001 Fast Flux DNS T1560 Archive Collected Data T1566 Phishing T1622 Debugger Evasion T1140 Deobfuscate/Decode Files or Information T1071 Application Layer Protocol T1620 Reflective Code Loading T1566.001 Spearphishing Attachment T1071.001 Web Protocols T1041 Exfiltration Over C2 Channel T1036 Masquerading T1056 Input Capture T1005 Data from Local System T1083 File and Directory Discovery T1204.002 Malicious File T1564.001 Hidden Files and Directories T1016 System Network Configuration Discovery T1033 System Owner/User Discovery T1027.009 Embedded Payloads T1204 User Execution T1059.003 Windows Command Shell T1053.005 Scheduled Task T1070.004 File Deletion T1555.003 Credentials from Web Browsers T1056.001 Keylogging T1539 Steal Web Session Cookie T1657 Financial Theft T1518 Software Discovery T1105 Ingress Tool Transfer T1562 Impair Defenses T1001 Data Obfuscation T1059.005 Visual Basic T1055.012 Process Hollowing T1106 Native API T1053 Scheduled Task/Job T1027.002 Software Packing T1048 Exfiltration Over Alternative Protocol T1027.013 Encrypted/Encoded File T1203 Exploitation for Client Execution T1497.003 Time Based Checks T1059 Command and Scripting Interpreter T1497 Virtualization/Sandbox Evasion T1546.008 Accessibility Features T1003.001 LSASS Memory T1566.002 Spearphishing Link

Reporting

Research mentioning Lokibot

Jul 10
Codeby

Пивотинг по инфраструктуре: от домена до карты актора

Один домен - sempersim[.]su - засветился в фиде ThreatFox как C2 для LokiBot.

Jun 25
Cyber Security News

LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection to Steal Credentials

LokiBot, one of the oldest credential-stealing malware families still active today, has resurfaced in a new multi-stage campaign designed to steal credentials from a wide range of applications.

Jun 24
Levelblue Spiderlabs

LokiBot After a Decade: An Analysis of a Recent LokiBot Campaign

LokiBot, one of the oldest infostealers that are still active today, was first advertised in May 2015 on an underground forum by vendors nicknamed ‘lokistov’ and ‘carter.’

Jun 22
The Hacker News

INTERPOL Warns Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific

Banking trojans and information stealers materialized as the second most prevalent type of cybercrime, with malware families like RedLine, Lumma, LokiBot, Negasteal, and ZBot taking up the top spots.

Jun 5
Codeby

Стеганография в вредоносном ПО: APT-техники и детект

Отдельно стоит упомянуть LokiBot - инфостилер, известный кражей учётных данных. По данным анализа Trend Micro, обновлённые варианты LokiBot используют стеганографию для сокрытия кода внутри JPG-файлов.

May 22
Cyber Security News

Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Indicators of Compromise (IoCs):- ... Malware LokiBot Infostealer deployed via legacy Office exploit chains

May 21
Cyber Security News

Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections - Cyber Security News

This technique mirrors tactics used by malware families like Agent Tesla, GuLoader, LokiBot, and Quasar RAT, which rely on the resource section to bury their payloads.

May 15
Palo Alto Networks Unit 42

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

Gremlin stealer uses the resource section to mirror the tactics of several high-profile malware families that frequently use this area for payload obfuscation, including: Agent Tesla, GuLoader, LokiBot, Quasar RAT.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.