S0447: Lokibot
Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.[1][2][3]
Analyst context for executives and security teams
Lokibot matters because ATT&CK describes it as a Windows information stealer focused on usernames, passwords, cryptocurrency wallets, and other credentials, with the ability to create a backdoor for additional payloads. For leaders, the practical risk is not just malware cleanup; it is potential credential compromise, follow-on access, and uncertainty about what accounts, wallets, systems, or data paths may have been exposed.
Executive priority
Prioritize Lokibot-style scenarios where credential theft would disrupt operations, enable unauthorized access, or weaken audit confidence. Executives should ask whether the organization can quickly identify affected Windows endpoints, determine which credentials may have been captured, validate outbound web-based command-and-control or exfiltration evidence, and coordinate password/key rotation with incident response. Because ATT&CK links Lokibot to techniques for persistence, stealth, discovery, credential access, exfiltration, and additional payload transfer, response plans should assume endpoint containment and identity remediation must happen together.
Technical view
ATT&CK provides no official detection text for Lokibot, so defenders should validate coverage through its documented relationships rather than a single malware signature. On Windows, prioritize visibility for malicious-file execution, PowerShell and Windows Command Shell use, Visual Basic execution, scheduled task creation, registry modification, process hollowing indicators, keylogging-related behavior, host/user/file/network discovery, file deletion, packed or obfuscated artifacts, deobfuscation activity, web-protocol C2, exfiltration over C2, and ingress tool transfer. Treat the SilverTerrier relationship as threat-intelligence context, not proof of attribution in any local incident.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution logs and script block/module logging where available
- Windows Scheduled Task creation and modification events
- Windows Registry modification telemetry
- Endpoint detection telemetry for process injection or process hollowing patterns
Detection direction
- Map detections to the ATT&CK relationships instead of relying only on Lokibot names or hashes, since obfuscation and software packing are documented behaviors.
- Correlate suspicious user-driven file execution with follow-on command shell, PowerShell, Visual Basic, scheduled task, registry, discovery, and outbound web traffic activity.
- Tune for sequences that combine credential-access behavior such as keylogging with system/user discovery and C2/exfiltration indicators.
- Review blind spots around encrypted or common web protocols, packed executables, deleted artifacts, and process-hollowing behaviors that may reduce signature-only visibility.
- Separate administrative false positives from suspicious activity by checking parent process, user context, execution path, task name, registry path, destination reputation, and whether the behavior follows a newly opened file.
Mitigation priorities
- Harden the user-execution path for malicious files through attachment handling, endpoint protection, and user-awareness controls appropriate to the environment.
- Reduce credential exposure by enforcing strong identity controls, rapid credential rotation procedures after suspected compromise, and monitoring for abnormal account use.
- Constrain and monitor PowerShell, command shell, Visual Basic, scheduled tasks, and registry changes on Windows endpoints.
- Improve egress governance by monitoring and controlling outbound web-protocol traffic and investigating unusual C2-like destinations.
- Ensure incident response playbooks cover endpoint isolation, malware artifact preservation, credential impact assessment, and follow-on payload hunting.
Analyst notes and limits
Lokibot is described by ATT&CK as a widely distributed information stealer first reported in 2015. The supplied relationships show use of multiple techniques across execution, persistence, privilege escalation, defense evasion/stealth, discovery, credential access, collection, command and control, and exfiltration. The object itself lists Windows as the platform and does not specify tactics or aliases. External references include CISA, Infoblox, Morphisec, Talos, and MITRE ATT&CK.
MITRE did not provide official detection guidance in the supplied object. This take does not assert current exploitation, local exposure, successful compromise, or guaranteed detection. Local conclusions require endpoint, identity, network, and incident evidence from the environment being assessed.
Lokibot
Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.005 | Visual Basic Sub-technique | Lokibot has used VBS scripts and XLS macros for execution.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Lokibot has used several packing methods for obfuscation.CitationInfoblox Lokibot January 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | Lokibot has obfuscated strings with base64 encoding.CitationInfoblox Lokibot January 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1555 | Credentials from Password Stores | Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.CitationInfoblox Lokibot January 2019 |
| Enterprise | T1620 | Reflective Code Loading | Lokibot has reflectively loaded the decoded DLL into memory.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Lokibot has used process hollowing to inject itself into legitimate Windows process.CitationInfoblox Lokibot January 2019CitationTalos Lokibot Jan 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Lokibot has the ability to discover the username on the infected host.CitationFSecure Lokibot November 2019 |
| Enterprise | T1083 | File and Directory Discovery | Lokibot can search for specific files on an infected host.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Lokibot has the ability to capture input on the compromised host via keylogging.CitationFSecure Lokibot November 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Lokibot has used |
| Enterprise | T1112 | Modify Registry | Lokibot has modified the Registry as part of its UAC bypass process.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Lokibot embedded the commands |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Lokibot has performed a time-based anti-debug check before downloading its third stage.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.CitationFSecure Lokibot November 2019 |
| Enterprise | T1053 | Scheduled Task/Job | Lokibot's second stage DLL has set a timer using “timeSetEvent” to schedule its next execution.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Lokibot has utilized multiple techniques to bypass UAC.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1082 | System Information Discovery | Lokibot has the ability to discover the computer name and Windows product name/version.CitationFSecure Lokibot November 2019 |
| Enterprise | T1106 | Native API | Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Lokibot has the ability to copy itself to a hidden file and directory.CitationInfoblox Lokibot January 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Lokibot has used PowerShell commands embedded inside batch scripts.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Lokibot has the ability to discover the domain name of the infected host.CitationFSecure Lokibot November 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Lokibot will delete its dropped files after bypassing UAC.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Lokibot has tricked recipients into enabling malicious macros by getting victims to click "enable content" in email attachments.CitationTrendMicro Msiexec Feb 2018CitationTalos Lokibot Jan 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Lokibot has used HTTP for C2 communications.CitationInfoblox Lokibot January 2019CitationTalos Lokibot Jan 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Lokibot downloaded several staged items onto the victim's machine.CitationTalos Lokibot Jan 2021 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.CitationInfoblox Lokibot January 2019 |
Groups, software, and campaigns
G0083: SilverTerrier
SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 3d9c6a4f57f6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Infoblox Lokibot January 2019
Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
Open source URL -
[2]
Morphisec Lokibot April 2020
Cheruku, H. (2020, April 15). LOKIBOT WITH AUTOIT OBFUSCATOR + FRENCHY SHELLCODE. Retrieved May 14, 2020.
Open source URL -
[3]
CISA Lokibot September 2020
DHS/CISA. (2020, September 22). Alert (AA20-266A) LokiBot Malware . Retrieved September 15, 2021.
Open source URL -
[4]
Lokibot
(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)(Citation: Talos Lokibot Jan 2021)
-
[5]
Talos Lokibot Jan 2021
Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
Open source URL -
[6]
mitre-attack S0447Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.