LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection to Steal Credentials
A new LokiBot campaign uses a JScript email attachment to initiate a multi-stage infection chain, stealing credentials from over 100 applications via process injection into aspnet_compiler.exe.
LokiBot, one of the oldest credential-stealing malware families still active today, has resurfaced in a new multi-stage campaign designed to steal credentials from a wide range of applications. The campaign uses a JScript email attachment as its entry point, quietly setting off a chain of events that ends with sensitive data being silently lifted from the victim's machine. What makes this resurgence notable is how the attackers have blended older techniques with newer evasion methods to avoid detection.
LokiBot was first advertised in May 2015 on an underground forum by threat actors known as "lokistov" and "carter." After its source code leaked in 2018, multiple forks emerged, expanding the malware with Android support, keylogging, and remote access. Today it can target credentials stored across more than a hundred applications, including browsers, cryptocurrency wallets, email clients, and FTP tools. Analysts at LevelBlue identified this recent campaign, noting how the attackers carefully constructed each stage to limit exposure and destroy evidence if anything goes wrong.
The attack begins when a victim receives a phishing email with a JScript file attached. Opening the file causes Windows to run it through the built-in Windows Script Host program. The script is heavily obfuscated using decoy functions and hexadecimal-named variables to slow down analysis. Once executed, the script decodes a Base64-encoded PowerShell script, saves it to the C:\Temp folder with a random filename, and runs it. If a defined timeout is exceeded, the script cleans up by terminating processes and deleting its own files.
The PowerShell stage then decrypts a .NET assembly payload using XOR with a hard-coded key and loads it directly into memory without writing to disk. The loaded .NET assembly, protected with the ConfuserEx obfuscator, acts as an injector. It spawns a legitimate aspnet_compiler.exe process, allocates memory inside it, and writes the final LokiBot payload into that space. This process injection technique allows the malware to run inside a trusted Windows process, making it harder to flag.
Once active, LokiBot creates a mutex using the MD5 hash of the machine's unique registry identifier to ensure only one instance runs at a time. It then cycles through a list of dedicated credential-harvesting functions, each targeting a specific application, quietly collecting usernames and passwords across browsers, email clients, and more. After harvesting credentials, LokiBot compresses the stolen data using aPLib and sends it to a command-and-control server whose address is stored in the binary using 3DES encryption. The malware also tries to establish persistence via a registry run key, but newer samples built with custom builders contain a broken persistence mechanism due to a patched decryption routine.
To stay hidden, LokiBot avoids importing most Windows API functions directly and instead resolves them at runtime using a custom hashing technique. Organizations can reduce risk by blocking script-based email attachments, watching for unexpected use of aspnet_compiler.exe, and enabling behavior-based endpoint protection that detects reflective loading and process injection patterns.
Indicators of compromise include the JScript attachment hash (SHA256: c099f965144bccd0b590f946659fc3c0747c54aef505b6caaca9078712f455fb), the .NET injector hash (SHA256: 64c7dd0a3a3ae49977ac05913d3878000cce14e5d8c1ee05b782bdfd648bde91), and C2 domains such as kbfvzoboss.bid and alphastand.trade. The campaign underscores the enduring threat of LokiBot, which remains a favorite among low-skilled cybercriminals due to its affordability and ease of use.