Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0447: Lokibot

Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.[1][2][3]

EnterpriseS0447MalwareObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Lokibot matters because ATT&CK describes it as a Windows information stealer focused on usernames, passwords, cryptocurrency wallets, and other credentials, with the ability to create a backdoor for additional payloads. For leaders, the practical risk is not just malware cleanup; it is potential credential compromise, follow-on access, and uncertainty about what accounts, wallets, systems, or data paths may have been exposed.

Executive priority

Prioritize Lokibot-style scenarios where credential theft would disrupt operations, enable unauthorized access, or weaken audit confidence. Executives should ask whether the organization can quickly identify affected Windows endpoints, determine which credentials may have been captured, validate outbound web-based command-and-control or exfiltration evidence, and coordinate password/key rotation with incident response. Because ATT&CK links Lokibot to techniques for persistence, stealth, discovery, credential access, exfiltration, and additional payload transfer, response plans should assume endpoint containment and identity remediation must happen together.

Technical view

ATT&CK provides no official detection text for Lokibot, so defenders should validate coverage through its documented relationships rather than a single malware signature. On Windows, prioritize visibility for malicious-file execution, PowerShell and Windows Command Shell use, Visual Basic execution, scheduled task creation, registry modification, process hollowing indicators, keylogging-related behavior, host/user/file/network discovery, file deletion, packed or obfuscated artifacts, deobfuscation activity, web-protocol C2, exfiltration over C2, and ingress tool transfer. Treat the SilverTerrier relationship as threat-intelligence context, not proof of attribution in any local incident.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • PowerShell execution logs and script block/module logging where available
  • Windows Scheduled Task creation and modification events
  • Windows Registry modification telemetry
  • Endpoint detection telemetry for process injection or process hollowing patterns

Detection direction

  • Map detections to the ATT&CK relationships instead of relying only on Lokibot names or hashes, since obfuscation and software packing are documented behaviors.
  • Correlate suspicious user-driven file execution with follow-on command shell, PowerShell, Visual Basic, scheduled task, registry, discovery, and outbound web traffic activity.
  • Tune for sequences that combine credential-access behavior such as keylogging with system/user discovery and C2/exfiltration indicators.
  • Review blind spots around encrypted or common web protocols, packed executables, deleted artifacts, and process-hollowing behaviors that may reduce signature-only visibility.
  • Separate administrative false positives from suspicious activity by checking parent process, user context, execution path, task name, registry path, destination reputation, and whether the behavior follows a newly opened file.

Mitigation priorities

  • Harden the user-execution path for malicious files through attachment handling, endpoint protection, and user-awareness controls appropriate to the environment.
  • Reduce credential exposure by enforcing strong identity controls, rapid credential rotation procedures after suspected compromise, and monitoring for abnormal account use.
  • Constrain and monitor PowerShell, command shell, Visual Basic, scheduled tasks, and registry changes on Windows endpoints.
  • Improve egress governance by monitoring and controlling outbound web-protocol traffic and investigating unusual C2-like destinations.
  • Ensure incident response playbooks cover endpoint isolation, malware artifact preservation, credential impact assessment, and follow-on payload hunting.
Analyst notes and limits

Lokibot is described by ATT&CK as a widely distributed information stealer first reported in 2015. The supplied relationships show use of multiple techniques across execution, persistence, privilege escalation, defense evasion/stealth, discovery, credential access, collection, command and control, and exfiltration. The object itself lists Windows as the platform and does not specify tactics or aliases. External references include CISA, Infoblox, Morphisec, Talos, and MITRE ATT&CK.

MITRE did not provide official detection guidance in the supplied object. This take does not assert current exploitation, local exposure, successful compromise, or guaranteed detection. Local conclusions require endpoint, identity, network, and incident evidence from the environment being assessed.

Official MITRE ATT&CK definition

Lokibot

Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

28 rows
Domain ID Name Relationship / procedure
Enterprise T1059.005 Visual Basic Sub-technique

Lokibot has used VBS scripts and XLS macros for execution.[4]
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email.[4]
Enterprise T1027.002 Software Packing Sub-technique

Lokibot has used several packing methods for obfuscation.[1]
Enterprise T1027 Obfuscated Files or Information

Lokibot has obfuscated strings with base64 encoding.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.[4]
Enterprise T1555 Credentials from Password Stores

Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.[1]
Enterprise T1620 Reflective Code Loading

Lokibot has reflectively loaded the decoded DLL into memory.[4]
Enterprise T1055.012 Process Hollowing Sub-technique

Lokibot has used process hollowing to inject itself into legitimate Windows process.[1][4]
Enterprise T1033 System Owner/User Discovery

Lokibot has the ability to discover the username on the infected host.CitationFSecure Lokibot November 2019
Enterprise T1083 File and Directory Discovery

Lokibot can search for specific files on an infected host.[4]
Enterprise T1056.001 Keylogging Sub-technique

Lokibot has the ability to capture input on the compromised host via keylogging.CitationFSecure Lokibot November 2019
Enterprise T1059.003 Windows Command Shell Sub-technique

Lokibot has used cmd /c commands embedded within batch scripts.[4]
Enterprise T1112 Modify Registry

Lokibot has modified the Registry as part of its UAC bypass process.[4]
Enterprise T1053.005 Scheduled Task Sub-technique

Lokibot embedded the commands schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I inside a batch script.[4]
Enterprise T1497.003 Time Based Checks Sub-technique

Lokibot has performed a time-based anti-debug check before downloading its third stage.[4]
Enterprise T1041 Exfiltration Over C2 Channel

Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.CitationFSecure Lokibot November 2019
Enterprise T1053 Scheduled Task/Job

Lokibot's second stage DLL has set a timer using “timeSetEvent” to schedule its next execution.[4]
Enterprise T1548.002 Bypass User Account Control Sub-technique

Lokibot has utilized multiple techniques to bypass UAC.[4]
Enterprise T1082 System Information Discovery

Lokibot has the ability to discover the computer name and Windows product name/version.CitationFSecure Lokibot November 2019
Enterprise T1106 Native API

Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.[4]
Enterprise T1564.001 Hidden Files and Directories Sub-technique

Lokibot has the ability to copy itself to a hidden file and directory.[1]
Enterprise T1059.001 PowerShell Sub-technique

Lokibot has used PowerShell commands embedded inside batch scripts.[4]
Enterprise T1016 System Network Configuration Discovery

Lokibot has the ability to discover the domain name of the infected host.CitationFSecure Lokibot November 2019
Enterprise T1070.004 File Deletion Sub-technique

Lokibot will delete its dropped files after bypassing UAC.[4]
Enterprise T1204.002 Malicious File Sub-technique

Lokibot has tricked recipients into enabling malicious macros by getting victims to click "enable content" in email attachments.CitationTrendMicro Msiexec Feb 2018[4]
Enterprise T1071.001 Web Protocols Sub-technique

Lokibot has used HTTP for C2 communications.[1][4]
Enterprise T1105 Ingress Tool Transfer

Lokibot downloaded several staged items onto the victim's machine.[4]
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.[1]
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1027.002: Software Packing Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1555: Credentials from Password Stores Enterprise uses · Technique T1620: Reflective Code Loading Enterprise uses · Technique T1055.012: Process Hollowing Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1497.003: Time Based Checks Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1053: Scheduled Task/Job Enterprise uses · Technique T1548.002: Bypass User Account Control Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1564.001: Hidden Files and Directories Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1070.004: File Deletion Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
3d9c6a4f57f60025...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 3d9c6a4f57f6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Infoblox Lokibot January 2019

    Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.

    Open source URL
  2. [2]
    Morphisec Lokibot April 2020

    Cheruku, H. (2020, April 15). LOKIBOT WITH AUTOIT OBFUSCATOR + FRENCHY SHELLCODE. Retrieved May 14, 2020.

    Open source URL
  3. [3]
    CISA Lokibot September 2020

    DHS/CISA. (2020, September 22). Alert (AA20-266A) LokiBot Malware . Retrieved September 15, 2021.

    Open source URL
  4. [4]
    Talos Lokibot Jan 2021

    Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.

    Open source URL
  5. [5]
    Lokibot

    (Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)(Citation: Talos Lokibot Jan 2021)

  6. [6]
    mitre-attack S0447
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use