logo

LokiBot Infostealer Uses Obfuscated JScript and PowerShell Loader in Recent Campaign

ID: 5da4b01c-7399-5a8b-abd4-11d4cd27903b

STIX ID: report--5da4b01c-7399-5a8b-abd4-11d4cd27903b

Feed Name: Cyber Press

Threat Score
70/100

Date Published: 2026-06-25

Date Updated: 2026-06-25

Author: Varshini

...
...

LokiBot campaign analysis: malspam delivers an obfuscated JScript that decodes a Base64 PowerShell payload which reflectively loads a ConfuserEx-protected .NET injector to perform process injection and execute a 32-bit LokiBot infostealer; the malware harvests credentials from 100+ applications, compresses data with aPLib, and exfiltrates to a C2, with technical TTPs and IOCs provided (this variant exhibits a broken persistence mechanism).

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.