LokiBot After a Decade: An Analysis of a Recent LokiBot Campaign

LokiBot, an infostealer first advertised in May 2015, continues to operate after more than a decade with numerous variants. The malware targets credentials from over a hundred software products including browsers, cryptocurrency wallets, password managers, email and FTP clients. A recent campaign delivers LokiBot through malspam with JScript email attachments, executing a multi-stage infection chain involving PowerShell loaders and .NET injectors protected by ConfuserEx. The final payload uses process injection into aspnet_compiler.exe, employing API hashing techniques to evade detection. While LokiBot maintains extensive credential theft capabilities, recent samples exhibit broken persistence mechanisms due to patched decryption subroutines. The malware communicates with C2 servers to exfiltrate compressed stolen data and await further commands, demonstrating continued evolution despite reduced activity in recent years.

Pulse ID: 6a3c6b9416a51c4cdec616c4
Pulse Link: https://otx.alienvault.com/pulse/6a3c6b9416a51c4cdec616c4
Pulse Author: AlienVault
Created: 2026-06-24 23:43:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ASPNet #ASPNet_Compiler #Browser #CyberSecurity #Email #InfoSec #InfoStealer #MalSpam #Malware #NET #OTX #OpenThreatExchange #Password #PowerShell #RAT #SMS #Spam #Word #bot #cryptocurrency #AlienVault