[👽TA] TA558 (🏴): Steganography using other malwares (AgentTesla, FormBook, Remcos, LokiBot, GuLoader or XWorm)
Lokibot
LokiBot is a long-running commodity information stealer first advertised in 2015 and later proliferated through multiple forks after its source code leaked in 2018.
Profile source: Mallory opens in a new tabLokibot
Family profile
LokiBot is a long-running commodity information stealer first advertised in 2015 and later proliferated through multiple forks after its source code leaked in 2018. It is primarily known for credential theft from a broad set of Windows applications, including web browsers, email clients, FTP and SFTP software, Windows credential sources, and in some variants cryptocurrency-related applications. Some reporting also attributes keylogging and expanded remote-access-style functionality to later forks, but its core role remains credential harvesting and data exfiltration.
LokiBot is commonly delivered through phishing and malspam campaigns, often using malicious attachments such as JScript, spreadsheet, or other document-based lures that rely on user execution or enabling active content. Observed campaigns have used multi-stage loaders involving obfuscated script stages, PowerShell, in-memory .NET components, and process injection into legitimate Windows processes to launch the final payload while reducing detection. LokiBot has also appeared as a payload delivered by other malware distribution services and loaders, including steganography-enabled campaigns and shellcode-based downloaders.
On infected Windows systems, LokiBot has demonstrated runtime API resolution, mutex-based single-instance control, copying itself into hidden files or directories, registry modification associated with UAC bypass or Run-key persistence attempts, and outbound communication with command-and-control infrastructure to transmit stolen data. Collected information is compressed before exfiltration in some variants. LokiBot also performs host profiling such as username discovery and has been observed using PowerShell during execution chains. Updated variants have used steganographic techniques to conceal code within image files.
LokiBot has remained prevalent for years because of its low cost, accessibility to lower-skill operators, and effectiveness in account theft operations. It has been associated with broad cybercrime activity rather than a single exclusive operator, including use in phishing-heavy ecosystems such as those linked to SilverTerrier and TA558. It continues to target organizations and individuals opportunistically across sectors wherever stolen credentials can be monetized.
Capabilities
- Credential Theft
- Defense Evasion
- Exfiltration
- Keylogging
- Persistence
- Process Injection
- Reconnaissance
Reported operators
Threat actors
4 named in public reportingThe info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).
The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.
"...we found several different families of RATs and infostealers. These included Lokibot, Betabot, Formbook, and AgentTesla."
Exploited software
Vulnerabilities linked to Lokibot
2 CVEsMITRE ATT&CK
Lokibot in ATT&CK
60 distinct techniquesTechniques
60 techniquesReporting
Research mentioning Lokibot
Пивотинг по инфраструктуре: от домена до карты актора
Один домен - sempersim[.]su - засветился в фиде ThreatFox как C2 для LokiBot.
LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection to Steal Credentials
LokiBot, one of the oldest credential-stealing malware families still active today, has resurfaced in a new multi-stage campaign designed to steal credentials from a wide range of applications.
LokiBot After a Decade: An Analysis of a Recent LokiBot Campaign
LokiBot, one of the oldest infostealers that are still active today, was first advertised in May 2015 on an underground forum by vendors nicknamed ‘lokistov’ and ‘carter.’
INTERPOL Warns Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific
Banking trojans and information stealers materialized as the second most prevalent type of cybercrime, with malware families like RedLine, Lumma, LokiBot, Negasteal, and ZBot taking up the top spots.
Стеганография в вредоносном ПО: APT-техники и детект
Отдельно стоит упомянуть LokiBot - инфостилер, известный кражей учётных данных. По данным анализа Trend Micro, обновлённые варианты LokiBot используют стеганографию для сокрытия кода внутри JPG-файлов.
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access
Indicators of Compromise (IoCs):- ... Malware LokiBot Infostealer deployed via legacy Office exploit chains
Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections - Cyber Security News
This technique mirrors tactics used by malware families like Agent Tesla, GuLoader, LokiBot, and Quasar RAT, which rely on the resource section to bury their payloads.
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Gremlin stealer uses the resource section to mirror the tactics of several high-profile malware families that frequently use this area for payload obfuscation, including: Agent Tesla, GuLoader, LokiBot, Quasar RAT.