LokiBot, one of the oldest credential-stealing malware families still active today, has resurfaced in a new multi-stage campaign designed to steal credentials from a wide range of applications. The campaign uses a JScript email attachment as its entry point, quietly setting off a chain of events that ends with sensitive data being exfiltrated from the victim’s machine. Analysts at LevelBlue identified and documented this recent wave.
A Decade of Evolution
LokiBot was first advertised in May 2015 on underground forums. After its source code leaked in 2018, multiple forks emerged, expanding the malware with Android support, keylogging, and remote access capabilities. Today it can target credentials stored across more than a hundred applications, including web browsers, cryptocurrency wallets, email clients, and FTP tools. Despite its age, it continues to be maintained and distributed in active campaigns.
Stage 1: The JScript Dropper
The attack begins when a victim receives a phishing email with a JScript file attached. Opening the file causes Windows to execute it through the built-in Windows Script Host. The script is heavily obfuscated using decoy functions and hexadecimal-named variables to slow down analysis by security researchers and automated sandboxes.
Once executed, the script decodes a Base64-encoded PowerShell script, saves it to the C:\Temp folder with a random filename, and runs it. If a defined timeout is exceeded, the script cleans up by terminating related processes and deleting its own files — a built-in anti-forensics mechanism designed to frustrate incident response.
Stage 2: In-Memory .NET Injection
The PowerShell stage decrypts a .NET assembly payload using XOR with a hard-coded key and loads it directly into memory without writing to disk — a fileless technique that bypasses many traditional file-scanning defenses. The loaded .NET assembly is protected with the ConfuserEx obfuscator, adding another layer of analysis resistance.
This .NET injector spawns a legitimate aspnet_compiler.exe process, allocates memory inside it, and writes the final LokiBot payload into that space. This process injection technique allows the malware to execute inside a trusted Windows process, making it significantly harder to flag through behavioral heuristics alone.
Stage 3: LokiBot Credential Harvesting
Once active, LokiBot creates a mutex using the MD5 hash of the machine’s unique registry identifier to ensure only one instance runs at a time. It then cycles through a list of dedicated credential-harvesting routines, each targeting a specific application category:
- Web browsers (Chrome, Firefox, Edge, and others)
- Email clients (Outlook, Thunderbird, and others)
- FTP tools (FileZilla, WinSCP, and others)
- Cryptocurrency wallets
- VPN clients and remote desktop tools
After harvesting, LokiBot compresses the stolen data using aPLib and transmits it to a command-and-control server whose address is stored in the binary using 3DES encryption. The malware also resolves most Windows API functions at runtime using a custom hashing technique rather than importing them directly, evading static import analysis.
Broken Persistence in Newer Samples
LokiBot typically attempts to establish persistence via a registry Run key. However, researchers found that newer samples built with custom builders contain a broken persistence mechanism due to a patched decryption routine — meaning each infection may need to be re-established rather than surviving reboots automatically. This could indicate ongoing development by the threat actor.
Indicators of Compromise
- JScript SHA-256: c099f965144bccd0b590f946659fc3c0747c54aef505b6caaca9078712f455fb
- .NET injector SHA-256: 64c7dd0a3a3ae49977ac05913d3878000cce14e5d8c1ee05b782bdfd648bde91
- LokiBot PE SHA-256: 4c9f271242f61f1a31b8146305e9a7ed512c521445d4f7a7a901e301307add3d
- C2 IP: 158.94.211[.]95
- C2 domains: kbfvzoboss[.]bid, alphastand[.]trade, alphastand[.]win, alphastand[.]top
- C2 URL pattern: /alien/fre.php and /kelly/five/fre.php
Defensive Recommendations
Organizations can reduce exposure by blocking script-based email attachments (particularly .js and .jse files) at the email gateway. Security teams should also monitor for unexpected spawning of aspnet_compiler.exe, especially when initiated by PowerShell or other scripting engines — this is a strong behavioral indicator of process injection. Enabling behavior-based endpoint protection that detects reflective loading and hollowing patterns is the most reliable defense against LokiBot’s evolving evasion chain.
Source: Cyber Security News, June 25, 2026. Original research by LevelBlue.