LokiBot Infostealer Uses Obfuscated JScript and PowerShell Loader in Recent Campaign
ID: 5da4b01c-7399-5a8b-abd4-11d4cd27903b
STIX ID: report--5da4b01c-7399-5a8b-abd4-11d4cd27903b
Feed Name: Cyber Press
Threat Score
LokiBot campaign analysis: malspam delivers an obfuscated JScript that decodes a Base64 PowerShell payload which reflectively loads a ConfuserEx-protected .NET injector to perform process injection and execute a 32-bit LokiBot infostealer; the malware harvests credentials from 100+ applications, compresses data with aPLib, and exfiltrates to a C2, with technical TTPs and IOCs provided (this variant exhibits a broken persistence mechanism).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
