Lolbot

Category: rat · Aliases: None known · Sample count (EMBER 2018): 374 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Lolbot is a specialized trojan family frequently associated with instant messaging disruption, banking fraud, and credential theft.

Understanding Lolbot
While early variants of Lolbot were known for hijacking popular instant messaging applications (like Yahoo Messenger or Skype) to spread malicious links to a victim's contact list, modern iterations are highly focused on intercepting financial transactions. For security analysts, Lolbot is a dangerous information stealer that relies on Man-in-the-Browser (MitB) or keylogging techniques to harvest sensitive data.

Execution and Evasion Strategies
Lolbot typically gains initial access through spearphishing campaigns containing weaponized macro documents or malicious ZIP archives. Once executed, it injects its malicious DLLs into web browser processes (such as chrome.exe or iexplore.exe) and messaging applications. This allows the malware to hook API calls, thereby intercepting credentials before they are encrypted and sent over the network. To evade Endpoint Detection and Response (EDR) solutions, Lolbot employs heavy obfuscation and often checks for the presence of virtual machines (anti-analysis techniques).

Indicators of Compromise (IoCs)
Incident responders investigating Lolbot should search for unauthorized DLL injections in browser memory spaces, unexpected modifications to local proxy settings, and anomalous outbound HTTPS traffic to unknown command-and-control (C2) domains. The presence of dropped `.dat` or `.log` files in the user's `AppData` directory often indicates active keylogging.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1566.001Phishing: Spearphishing AttachmentInitial Access
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1056.001Input Capture: KeyloggingCollection
T1185Browser Session HijackingCollection
T1497.001Virtualization/Sandbox Evasion: System ChecksDefense Evasion

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_LOLBOT {
    meta:
        description = "Detects Lolbot (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "lolbot" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Lolbot Activity
id: aaecf237cf58e3914a7000581330310c
status: experimental
description: Detects generic indicators of the lolbot malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*lolbot*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately disconnect the compromised asset from the network to halt the exfiltration of stolen credentials.
  2. Force a global password reset for all user accounts that were accessed from the infected endpoint, prioritizing financial and corporate accounts.
  3. Utilize memory forensics tools (like Volatility) to identify and dump the injected malicious DLLs from browser processes.
  4. Audit the system's local proxy and DNS settings, ensuring they have not been modified to intercept secure web traffic.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not log into any administrative portals or sensitive accounts from the infected machine, as the keylogger will capture these new credentials.
  2. Do not blindly trust basic AV scans, as Lolbot's process injection often allows it to bypass static signature checks.

References & External Analysis

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/lolbot.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.