LokiBot, one of the oldest credential-stealing malware families still active today, has resurfaced in a new multi-stage campaign designed to steal credentials from a wide range of applications.
The campaign uses a JScript email attachment as its entry point, quietly setting off a chain of events that ends with sensitive data being silently lifted from the victim’s machine.
What makes this resurgence notable is how the attackers have blended older techniques with newer evasion methods to avoid detection.
LokiBot was first advertised in May 2015 on an underground forum by threat actors known as “lokistov” and “carter.” After its source code leaked in 2018, multiple forks emerged, expanding the malware with Android support, keylogging, and remote access.
Today it can target credentials stored across more than a hundred applications, including browsers, cryptocurrency wallets, email clients, and FTP tools.
Analysts at LevelBlue identified this recent campaign, noting how the attackers carefully constructed each stage to limit exposure and destroy evidence if anything goes wrong.
LevelBlue said in a report shared with Cyber Security News (CSN) that the sample was distributed as a malicious email attachment, which remains the most frequently reported delivery method for LokiBot.
Its affordability and ease of use once made it a favorite among low-skilled cybercriminals, and its continued presence in threat feeds shows it is still being maintained.
The broader impact of a successful LokiBot infection is serious. Once the malware completes its credential-harvesting routines, it compresses the stolen data and transmits it to a remote server.
From there, attackers gain access to passwords and account details from dozens of applications, putting individuals and organizations at real risk of account takeover and data theft.
LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection
The attack begins when a victim receives a phishing email with a JScript file attached. Opening the file causes Windows to run it through the built-in Windows Script Host program.
The script is heavily obfuscated using decoy functions and hexadecimal-named variables to slow down analysis.
Once executed, the script decodes a Base64-encoded PowerShell script, saves it to the C:\Temp folder with a random filename, and runs it. If a defined timeout is exceeded, the script cleans up by terminating processes and deleting its own files.
The PowerShell stage then decrypts a .NET assembly payload using XOR with a hard-coded key and loads it directly into memory without writing to disk. The loaded .NET assembly, protected with the ConfuserEx obfuscator, acts as an injector.
It spawns a legitimate aspnet_compiler.exe process, allocates memory inside it, and writes the final LokiBot payload into that space. This process injection technique allows the malware to run inside a trusted Windows process, making it harder to flag.
LokiBot Credential Theft and C2 Communication
Once active, LokiBot creates a mutex using the MD5 hash of the machine’s unique registry identifier to ensure only one instance runs at a time.
It then cycles through a list of dedicated credential-harvesting functions, each targeting a specific application, quietly collecting usernames and passwords across browsers, email clients, and more.
After harvesting credentials, LokiBot compresses the stolen data using aPLib and sends it to a command-and-control server whose address is stored in the binary using 3DES encryption.
The malware also tries to establish persistence via a registry run key, but newer samples built with custom builders contain a broken persistence mechanism due to a patched decryption routine.
To stay hidden, LokiBot avoids importing most Windows API functions directly and instead resolves them at runtime using a custom hashing technique.
Organizations can reduce risk by blocking script-based email attachments, watching for unexpected use of aspnet_compiler.exe, and enabling behavior-based endpoint protection that detects reflective loading and process injection patterns.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Filename | gruijvdsdbcmcvbtryedfhpoibbedflokjqnb.js | Malicious JScript attachment (initial dropper) |
| SHA256 | c099f965144bccd0b590f946659fc3c0747c54aef505b6caaca9078712f455fb | JScript attachment hash |
| SHA256 | 64c7dd0a3a3ae49977ac05913d3878000cce14e5d8c1ee05b782bdfd648bde91 | .NET injector / intermediate stage hash |
| SHA256 | ad10ff9043d6f327045943635fcbd0c5918acb79dc998db92ee4c7dee5224710 | Payload stage hash |
| SHA256 | 4c9f271242f61f1a31b8146305e9a7ed512c521445d4f7a7a901e301307add3d | LokiBot PE executable hash |
| SHA256 | 5864a697bd7b339f56b05405f29a097cd027cafdcc4e63c2aaeccccbf930605f | Additional LokiBot sample hash |
| IP Address | 158.94.211.95 | LokiBot C2 server IP address |
| Domain | kbfvzoboss.bid | LokiBot C2 domain |
| Domain | alphastand.trade | LokiBot C2 domain |
| Domain | alphastand.win | LokiBot C2 domain |
| Domain | alphastand.top | LokiBot C2 domain |
| URL | http://158.94.211.95/kelly/five/fre.php | LokiBot C2 endpoint URL |
| URL | http://kbfvzoboss.bid/alien/fre.php | LokiBot C2 endpoint URL |
| URL | http://alphastand.trade/alien/fre.php | LokiBot C2 endpoint URL |
| URL | http://alphastand.win/alien/fre.php | LokiBot C2 endpoint URL |
| URL | http://alphastand.top/alien/fre.php | LokiBot C2 endpoint URL |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
