LokiBot, a long-lived infostealer first advertised in May 2015, continues to evolve. Recent samples demonstrate deliberate attempts to evade static detection and frustrate analysis by combining API hashing with 3DES-encrypted command-and-control (C2) configuration stored inside the binary.
The result is a compact, stealthy loader that reconstructs and executes a traditional LokiBot payload while limiting observable imports and hiding network infrastructure.
The JScript layer interleaves real decoding logic with decoy functions, and includes timed cleanup routines that remove temporary files and kill processes if time thresholds expire.
The PowerShell component acts as a reflective .NET assembly loader: an XOR layer reveals a Base64 .NET assembly, which is loaded with [System.Reflection.Assembly]::Load and invoked via a MEN.EXECUTE.LAUNCH() entrypoint.
Parameters passed include the full path to aspnet_compiler.exe and a long byte array that later supplies a PE image to inject.
The reflectively loaded assembly, protected with ConfuserEx, resolves a set of kernel32 exports dynamically and proceeds to spawn aspnet_compiler.exe, allocate memory, and write PE sections into that target process.
Analysis-friendly patches that log WinAPI parameters show the loader invoking CreateProcess, VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread in the canonical process-injection chain.
LokiBot, one of the oldest infostealers that are still active today, was first advertised in May 2015 on an underground forum by vendors nicknamed ‘lokistov’ and ‘carter.’
The injected 32-bit PE is the final LokiBot payload, compiled with MSVC 2015 and containing an “x” data section that houses 3DES-encrypted C2 endpoints.
According to LevelBlue, the campaign begins with malspam delivering an obfuscated JScript attachment that leverages Windows Script Host to stage a Base64-encoded PowerShell loader.
LokiBot’s custom hash applies repeated right shifts and XOR with a fixed constant; because this function is documented and catalogued (for example in HashDB), investigators can map observed hash values back to API access names during analysis.
A notable evasion technique in these samples is API hashing. Instead of a normal import table, the malware uses a tiny static import set and resolves necessary functions at runtime by enumerating export names in targeted DLLs and matching them to precomputed hashes.
LokiBot Malware Uses API Hashing
The hashing approach reduces static signatures and forces analysts to emulate or enumerate exports to recover functionality.
C2 confidentiality is preserved through symmetric encryption: endpoints inside the binary are encrypted with 3DES. The loader decrypts these addresses at runtime to construct HTTP requests used for initial beaconing and subsequent command retrieval.
Once active, the malware creates a mutex derived from the MD5 of MachineGuid to prevent multiple instances, copies itself into %AppData% (using a name generated by the same MachineGuid-derived routine), and attempts to create a Run key for persistence.
In many samples built with patched builders, a broken decryption subroutine results in incorrectly composed registry keys (reported by researcher @d00rt), yielding ineffective persistence in those variants.
Inspection of the byte chunks passed to WriteProcessMemory reveals that they correspond to sections of the PE file that were previously supplied as the byte-array parameter to the LAUNCH method.
Operationally, LokiBot malware enumerates and extracts credentials from over a hundred targeted products browsers, cryptocurrency wallets, password managers, email and FTP clients using dedicated harvesting routines.
Harvested data are aggregated, compressed with aPLib, then exfiltrated to the decrypted C2 over HTTP. After theft, the malware enters a loop, beacons every minute with system metadata, and spawns threads to process received commands.
For defenders, key detection opportunities include monitoring for atypical script-based staging (obfuscated JScript/PowerShell), suspicious use of aspnet_compiler.exe as a parent or injected host, anomalous mutex names tied to MachineGuid hashes, and the presence of a small import table with runtime export-walking behavior.
Analysts can accelerate mapping of hashed APIs using HashDB and radare2 one-liners to resolve functions, and should attempt to decrypt the “x” section with 3DES keys recovered from memory during dynamic execution.
IOCs
| Type | Value |
|---|---|
| IP | 158.94.211.95 |
| Domain | kbfvzoboss.bid |
| Domain | alphastand.trade |
| Domain | alphastand.win |
| Domain | alphastand.top |
| URL | http://158.94.211.95/kelly/five/fre.php |
| URL | http://kbfvzoboss.bid/alien/fre.php |
| URL | http://alphastand.trade/alien/fre.php |
| URL | http://alphastand.win/alien/fre.php |
| URL | http://alphastand.top/alien/fre.php |
| SHA256 Hash |
|---|
| c099f965144bccd0b590f946659fc3c0747c54aef505b6caaca9078712f455fb |
| 64c7dd0a3a3ae49977ac05913d3878000cce14e5d8c1ee05b782bdfd648bde91 |
| ad10ff9043d6f327045943635fcbd0c5918acb79dc998db92ee4c7dee5224710 |
| 4c9f271242f61f1a31b8146305e9a7ed512c521445d4f7a7a901e301307add3d |
| 5864a697bd7b339f56b05405f29a097cd027cafdcc4e63c2aaeccccbf930605f |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
