LokiBot After a Decade: An Analysis of a Recent LokiBot Campaign
Essential information
- Published
- 25/06/2026 01:43
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- credential theft infostealer lokibot malspam multi-stage
- Related entities
- 1 vulnerabilities (cve), 14 indicators, 9 observables, 18 techniques (mitre), 1 malware
Description
LokiBot, an infostealer first advertised in May 2015, continues to operate after more than a decade with numerous variants. The malware targets credentials from over a hundred software products including browsers, cryptocurrency wallets, password managers, email and FTP clients. A recent campaign delivers LokiBot through malspam with JScript email attachments, executing a multi-stage infection chain involving PowerShell loaders and .NET injectors protected by ConfuserEx. The final payload uses process injection into aspnet_compiler.exe, employing API hashing techniques to evade detection. While LokiBot maintains extensive credential theft capabilities, recent samples exhibit broken persistence mechanisms due to patched decryption subroutines. The malware communicates with C2 servers to exfiltrate compressed stolen data and await further commands, demonstrating continued evolution despite reduced activity in recent years.