LokiBot (also known as Loki PWS) is a highly prolific, commercially available Information Stealer (InfoStealer) and keylogger that has been active since at least 2015. Sold on underground cybercriminal forums as Malware-as-a-Service (MaaS), it is designed for the rapid and comprehensive exfiltration of credentials, cryptocurrency wallets, and other sensitive data from compromised Windows systems. While primarily an InfoStealer, some variants exhibit rudimentary backdoor capabilities.
Infection Vector and Technical Capabilities
LokiBot is heavily distributed via massive, automated spam campaigns (malspam) utilizing malicious email attachments (such as weaponized Excel documents, PDFs, or ISO files) or embedded links pointing to exploit kits.
Its technical operation is focused entirely on covert data theft:
Comprehensive Credential Harvesting: LokiBot targets a vast array of software. It decrypts and extracts saved passwords from web browsers (Chrome, Firefox, Edge, Safari), FTP/SFTP clients (FileZilla, WinSCP), email clients (Outlook, Thunderbird), and specialized IT administration tools (PuTTY, RDP connections).
Cryptocurrency Theft: It actively searches the file system for local cryptocurrency wallet files (`wallet.dat`) and attempts to steal the private keys for Bitcoin, Ethereum, and other major altcoins.
Evasion and Exfiltration: The malware often uses process hollowing (e.g., injecting into `vbc.exe`) to evade antivirus detection. It compresses and encrypts the stolen data, typically exfiltrating it to a Command and Control (C2) server via HTTP POST requests using a hardcoded, distinct user-agent string.
Threat Assessment
A LokiBot detection is a severe data breach. The immediate threat is the total compromise of corporate email, VPN access, and administrative credentials. Cybercriminals frequently use LokiBot to steal the initial credentials necessary to launch devastating Business Email Compromise (BEC) attacks or to sell network access to ransomware syndicates.
Incident Response and Remediation
Mandatory Credential Reset: The absolute highest priority is an immediate, global password reset for all accounts associated with the compromised user. Because it steals VPN and RDP credentials, these must be secured instantly to prevent secondary breaches.
MFA Enforcement: Ensure strict Multi-Factor Authentication (MFA) is enforced across all external-facing corporate portals to neutralize the threat of the stolen passwords being reused.
C2 Blockade and EDR Triage: Block all known LokiBot C2 IP addresses at the corporate firewall. Utilize EDR to ensure the executable is completely removed and verify no secondary payloads were downloaded before quarantine.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1056.001T1555T1048
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.