LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection to Steal Credentials

LokiBot, one of the oldest credential-stealing malware families still active today, has resurfaced in a new multi-stage campaign designed to steal credentials from a wide range of applications.

The campaign uses a JScript email attachment as its entry point, quietly setting off a chain of events that ends with sensitive data being silently lifted from the victim’s machine.

What makes this resurgence notable is how the attackers have blended older techniques with newer evasion methods to avoid detection.

LokiBot was first advertised in May 2015 on an underground forum by threat actors known as “lokistov” and “carter.” After its source code leaked in 2018, multiple forks emerged, expanding the malware with Android support, keylogging, and remote access.

Today it can target credentials stored across more than a hundred applications, including browsers, cryptocurrency wallets, email clients, and FTP tools.

Analysts at LevelBlue identified this recent campaign, noting how the attackers carefully constructed each stage to limit exposure and destroy evidence if anything goes wrong. 

LevelBlue said in a report shared with Cyber Security News (CSN) that the sample was distributed as a malicious email attachment, which remains the most frequently reported delivery method for LokiBot.

Its affordability and ease of use once made it a favorite among low-skilled cybercriminals, and its continued presence in threat feeds shows it is still being maintained.

The broader impact of a successful LokiBot infection is serious. Once the malware completes its credential-harvesting routines, it compresses the stolen data and transmits it to a remote server.

From there, attackers gain access to passwords and account details from dozens of applications, putting individuals and organizations at real risk of account takeover and data theft.

LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection

The attack begins when a victim receives a phishing email with a JScript file attached. Opening the file causes Windows to run it through the built-in Windows Script Host program.

The script is heavily obfuscated using decoy functions and hexadecimal-named variables to slow down analysis.

Once executed, the script decodes a Base64-encoded PowerShell script, saves it to the C:Temp folder with a random filename, and runs it. If a defined timeout is exceeded, the script cleans up by terminating processes and deleting its own files.

The PowerShell stage then decrypts a .NET assembly payload using XOR with a hard-coded key and loads it directly into memory without writing to disk.

It spawns a legitimate aspnet_compiler.exe process, allocates memory inside it, and writes the final LokiBot payload into that space. This process injection technique allows the malware to run inside a trusted Windows process, making it harder to flag.

LokiBot Credential Theft and C2 Communication

Once active, LokiBot creates a mutex using the MD5 hash of the machine’s unique registry identifier to ensure only one instance runs at a time.

It then cycles through a list of dedicated credential-harvesting functions, each targeting a specific application, quietly collecting usernames and passwords across browsers, email clients, and more.

After harvesting credentials, LokiBot compresses the stolen data using aPLib and sends it to a command-and-control server whose address is stored in the binary using 3DES encryption.

The malware also tries to establish persistence via a registry run key, but newer samples built with custom builders contain a broken persistence mechanism due to a patched decryption routine.

To stay hidden, LokiBot avoids importing most Windows API functions directly and instead resolves them at runtime using a custom hashing technique.

Organizations can reduce risk by blocking script-based email attachments, watching for unexpected use of aspnet_compiler.exe, and enabling behavior-based endpoint protection that detects reflective loading and process injection patterns.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Filename	gruijvdsdbcmcvbtryedfhpoibbedflokjqnb.js	Malicious JScript attachment (initial dropper)
SHA256	c099f965144bccd0b590f946659fc3c0747c54aef505b6caaca9078712f455fb	JScript attachment hash
SHA256	64c7dd0a3a3ae49977ac05913d3878000cce14e5d8c1ee05b782bdfd648bde91	.NET injector / intermediate stage hash
SHA256	ad10ff9043d6f327045943635fcbd0c5918acb79dc998db92ee4c7dee5224710	Payload stage hash
SHA256	4c9f271242f61f1a31b8146305e9a7ed512c521445d4f7a7a901e301307add3d	LokiBot PE executable hash
SHA256	5864a697bd7b339f56b05405f29a097cd027cafdcc4e63c2aaeccccbf930605f	Additional LokiBot sample hash
IP Address	158.94.211.95	LokiBot C2 server IP address
Domain	kbfvzoboss.bid	LokiBot C2 domain
Domain	alphastand.trade	LokiBot C2 domain
Domain	alphastand.win	LokiBot C2 domain
Domain	alphastand.top	LokiBot C2 domain
URL	http://158.94.211.95/kelly/five/fre.php	LokiBot C2 endpoint URL
URL	http://kbfvzoboss.bid/alien/fre.php	LokiBot C2 endpoint URL
URL	http://alphastand.trade/alien/fre.php	LokiBot C2 endpoint URL
URL	http://alphastand.win/alien/fre.php	LokiBot C2 endpoint URL
URL	http://alphastand.top/alien/fre.php	LokiBot C2 endpoint URL

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.