Skip to content
Ransomware group

Loki

Loki is tracked by ransomware.live as a ransomware operation.

Profile source: Ransomware.live opens in a new tab

Loki

Family profile

Loki is tracked by ransomware.live as a ransomware operation. Public ransomware-specific technical reporting remains limited, so this profile excludes unrelated backdoor and credential-stealer families that also use the Loki name.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • NirSoft ChromePass
  • NirSoft WebBrowserPassView

Discovery Enum

  • Advanced IP Scanner

Reporting

Research mentioning Loki

Dec 22
Cyber Security News

Arcane Werewolf Hacker Group Added Loki 2.1 Malware Toolkit to their Arsenal

The threat actor group known as Arcane Werewolf, also tracked as Mythic Likho, has refreshed its attack capabilities by deploying a new version of its custom malware called Loki 2.1.

Feb 12
Securelist Ru

Агенты для Mythic, Merlin и Loki, атакуют российские компании | Securelist

Так, например, один из экземпляров Merlin, попавших к нам в обработку, — с хэш-суммой 6B16D1C2D6D749C8B0E7671E9B347791 и командным центром mail.gkrzn[.]ru — загружал в систему жертвы образец Loki новой версии 2.0 ...

Nov 29
Thecyberwire

Threat Landscape with Wes Drone

WannaCry was kind of going... we just assumed it was phishing campaigns... this is when Loki ransomware was like getting delivered in just troves... Loki was an attachment... delivered via email attachment...

Apr 16
Irfan Eternal Github

Malware String Decryption in 2 ways - irfan_eternal

from dumpulator import Dumpulator dp = Dumpulator ( "loki.dump" , quiet = "TRUE" )

May 13
Securelist

A new version of the Loki backdoor for the Mythic framework attacks Russian companies | Securelist

In July 2024, we discovered the previously unknown Loki backdoor, which was used in a series of targeted attacks. By analyzing the malicious file and open sources, we determined that Loki is a private version of an agent for the open-source Mythic framework.

May 12
Cisa Advisories

Top 10 Routinely Exploited Vulnerabilities | CISA

CVE-2017-11882 ... Products Associated Malware: Loki, FormBook, Pony/FAREIT

Apr 1
Spamhaus

Malware | Botnet C&C malware - the highs and lows of 2018 | Spamhaus

Credential Stealers: As in 2017, credential stealers were still accounting for the most significant amount of botnet C&C traffic; however there were changes as to which were top of the leader board. Pony held the #1 spot for two years, however in 2018 Loki took pole position, having more than doubled the number of unique botnet C&Cs associated with it.

Oct 15
Talos Intelligence

Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox

We have also observed newer campaigns being used to distribute Agent Tesla and Loki that are leveraging CVE-2017-11882.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.