Lokibot

Category: spyware · Aliases: InfoStealer.LokiBot, Trojan-PSW.Win32.Loki, Loki PWS · Sample count (EMBER 2018): 55 · Enrichment: curated_sourced · Updated: 2026-07-02T09:03:09Z

Overview

Executive Summary

LokiBot (also known as Loki PWS) is a highly prolific, commercially available Information Stealer (InfoStealer) and keylogger that has been active since at least 2015. Sold on underground cybercriminal forums as Malware-as-a-Service (MaaS), it is designed for the rapid and comprehensive exfiltration of credentials, cryptocurrency wallets, and other sensitive data from compromised Windows systems. While primarily an InfoStealer, some variants exhibit rudimentary backdoor capabilities.

Infection Vector and Technical Capabilities

LokiBot is heavily distributed via massive, automated spam campaigns (malspam) utilizing malicious email attachments (such as weaponized Excel documents, PDFs, or ISO files) or embedded links pointing to exploit kits. Its technical operation is focused entirely on covert data theft:

Threat Assessment

A LokiBot detection is a severe data breach. The immediate threat is the total compromise of corporate email, VPN access, and administrative credentials. Cybercriminals frequently use LokiBot to steal the initial credentials necessary to launch devastating Business Email Compromise (BEC) attacks or to sell network access to ransomware syndicates.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1056.001 T1555 T1048

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_LOKIBOT {
    meta:
        description = "Detects Lokibot (spyware)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "lokibot" ascii wide nocase
        $s2 = "infostealer.lokibot" ascii wide nocase
        $s3 = "trojan-psw.win32.loki" ascii wide nocase
        $s4 = "loki pws" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Lokibot Activity
id: 20eb1f82621001883ea0c2085aff5729
status: experimental
description: Detects generic indicators of the lokibot malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*lokibot*"
            - "*infostealer.lokibot*"
            - "*trojan-psw.win32.loki*"
            - "*loki pws*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Lokibot?

A widely distributed information stealer, first reported in 2015, that targets credentials and other sensitive data.

What does Lokibot steal?

Usernames, passwords, cryptocurrency wallet data, and other stored credentials.

Can Lokibot do more than steal data?

Yes; MITRE notes it can create a backdoor to let an attacker install additional payloads.

How is Lokibot delivered?

Mainly through phishing emails with malicious attachments or links.

How can I protect credentials from stealers like Lokibot?

Use a password manager and multi-factor authentication, avoid suspicious attachments, and keep endpoint protection updated.

Where is the authoritative reference?

MITRE ATT&CK's Lokibot entry (S0447), linked on this page.

Related Families (Category: spyware)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/lokibot.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.