LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection to Steal Credentials

HomeCyber Security News LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection to Steal Credentials By Tushar Subhra Dutta June 25, 2026 LokiBot, one of the oldest credential-stealing malware families still active today, has resurfaced in a new multi-stage campaign designed to steal credentials from a wide range of applications. The campaign uses a JScript email attachment as its entry point, quietly setting off a chain of events that ends with sensitive data being silently lifted from the victim’s machine. What makes this resurgence notable is how the attackers have blended older techniques with newer evasion methods to avoid detection. LokiBot was first advertised in May 2015 on an underground forum by threat actors known as “lokistov” and “carter.” After its source code leaked in 2018, multiple forks emerged, expanding the malware with Android support, keylogging, and remote access. Today it can target credentials stored across more than a hundred applications, including browsers, cryptocurrency wallets, email clients, and FTP tools. Analysts at LevelBlue identified this recent campaign, noting how the attackers carefully constructed each stage to limit exposure and destroy evidence if anything goes wrong.  LevelBlue said in a report shared with Cyber Security News (CSN) that the sample was distributed as a malicious email attachment, which remains the most frequently reported delivery method for LokiBot. Its affordability and ease of use once made it a favorite among low-skilled cybercriminals, and its continued presence in threat feeds shows it is still being maintained. The broader impact of a successful LokiBot infection is serious. Once the malware completes its credential-harvesting routines, it compresses the stolen data and transmits it to a remote server. From there, attackers gain access to passwords and account details from dozens of applications, putting individuals and organizations at real risk of account takeover and data theft. LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection The attack begins when a victim receives a phishing email with a JScript file attached. Opening the file causes Windows to run it through the built-in Windows Script Host program. The script is heavily obfuscated using decoy functions and hexadecimal-named variables to slow down analysis. Once executed, the script decodes a Base64-encoded PowerShell script, saves it to the C:\Temp folder with a random filename, and runs it. If a defined timeout is exceeded, the script cleans up by terminating processes and deleting its own files. Deobfuscated JScript clean-up function (Source – LevelBlue) The PowerShell stage then decrypts a .NET assembly payload using XOR with a hard-coded key and loads it directly into memory without writing to disk. The loaded .NET assembly, protected with the ConfuserEx obfuscator, acts as an injector. Excerpt from the patched decompiled .NET loader (Source – LevelBlue) It spawns a legitimate aspnet_compiler.exe process, allocates memory inside it, and writes the final LokiBot payload into that space. This process injection technique allows the malware to run inside a trusted Windows process, making it harder to flag. LokiBot Credential Theft and C2 Communication Once active, LokiBot creates a mutex using the MD5 hash of the machine’s unique registry identifier to ensure only one instance runs at a time. Mutex-based verification (Source – LevelBlue) It then cycles through a list of dedicated credential-harvesting functions, each targeting a specific application, quietly collecting usernames and passwords across browsers, email clients, and more. After harvesting credentials, LokiBot compresses the stolen data using aPLib and sends it to a command-and-control server whose address is stored in the binary using 3DES encryption. The malware also tries to establish persistence via a registry run key, but newer samples built with custom builders contain a broken persistence mechanism due to a patched decryption routine. Broken registry persistence (Source – LevelBlue) To stay hidden, LokiBot avoids importing most Windows API functions directly and instead resolves them at runtime using a custom hashing technique. Organizations can reduce risk by blocking script-based email attachments, watching for unexpected use of aspnet_compiler.exe, and enabling behavior-based endpoint protection that detects reflective loading and process injection patterns. Indicators of Compromise (IoCs):- Type Indicator Description Filename gruijvdsdbcmcvbtryedfhpoibbedflokjqnb.js Malicious JScript attachment (initial dropper) SHA256 c099f965144bccd0b590f946659fc3c0747c54aef505b6caaca9078712f455fb JScript attachment hash SHA256 64c7dd0a3a3ae49977ac05913d3878000cce14e5d8c1ee05b782bdfd648bde91 .NET injector / intermediate stage hash SHA256 ad10ff9043d6f327045943635fcbd0c5918acb79dc998db92ee4c7dee5224710 Payload stage hash SHA256 4c9f271242f61f1a31b8146305e9a7ed512c521445d4f7a7a901e301307add3d LokiBot PE executable hash SHA256 5864a697bd7b339f56b05405f29a097cd027cafdcc4e63c2aaeccccbf930605f Additional LokiBot sample hash IP Address 158.94.211.95 LokiBot C2 server IP address Domain kbfvzoboss.bid LokiBot C2 domain Domain alphastand.trade LokiBot C2 domain Domain alphastand.win LokiBot C2 domain Domain alphastand.top LokiBot C2 domain URL http://158.94.211.95/kelly/five/fre.php LokiBot C2 endpoint URL URL http://kbfvzoboss.bid/alien/fre.php LokiBot C2 endpoint URL URL http://alphastand.trade/alien/fre.php LokiBot C2 endpoint URL URL http://alphastand.win/alien/fre.php LokiBot C2 endpoint URL URL http://alphastand.top/alien/fre.php LokiBot C2 endpoint URL Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Abuse Third-Party Okendo Reviews Script to Spread SmartApeSG Malware Campaign FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targeting FortiGate Devices New iPhone BootROM Vulnerability Exposes Apple SoCs to Full Chain-of-Trust Compromise Hackers Use Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH for Persistence New Malware Attack Via WhatsApp Attacking Windows System to Enable Remote Access For Attackers Latest News Cyber Security News Shai-Hulud Payload Steals GitHub, npm, Cloud, CI/CD, and SSH Credentials From Developers Cyber Security News AWS AiTM Phishing Kit Steals Console Credentials and MFA Codes in Real Time Cyber Security News Rust macOS Backdoor Uses Interactive Shell and Telegram File Uploads for Data Theft Cyber Security News ManageEngine AD360 Integration Flaw Exposes User Identity and Role Information to Attackers AI Gemini 3.5 Flash Released With Computer Use Capabilities that Build Agents