LokiBot Malware: What it is and how to respond to it   

October 28, 2020  |  Nahla Davies

This blog was written by an independent guest blogger.

The Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security recently announced that activity in LokiBot, a form of aggressive malware, has increased dramatically over the last two months.

The activity increase was discovered by an automated intrusion detection system referred to as EINSTEIN, which the Department of Homeland Security uses for collecting and analyzing security information across numerous government agencies. Following the detection, CISA issued a security advisory warning to Federal agencies and private sector entities alike about the malware.

Malware is essentially a piece of software or firmware that is intentionally placed into a system (or host) for malicious purposes (hence the term ‘malware’). It has long been a major problem, but it’s only become worse since the coronavirus pandemic began as hackers and cybercriminals have sought to take advantage of the chaos created by the situation. LokiBot is one such example.

In this article, we will dive into what exactly LokiBot is and the threat it poses, the techniques that were used to deploy this malware, and then the steps you can take to remove it from an infected system.

What is Lokibot?

LokiBot was first released on underground forums for hackers to target Microsoft Android phones in early 2016. Since then, it has grown to become a much more widespread and dangerous threat than it originally was, as it has been widely distributed via torrent files and email spam (among other techniques) by low-to-mid level hackers targeting passwords.

At this point, LokiBot is among the most prevalent forms of malware, and for 2020 has actually been the single most common form of malware used to attack command-and-control servers.

LokiBot can infect computers and mobile devices alike by searching for locally installed applications. The malware then searches for credentials from the internal databases of those applications and attempts to extract them. LokiBot also comes with a keylogging feature that allows it to capture keystrokes in order to determine the passwords used for accounts that may not be stored in those internal databases as well.

As a result of these capabilities, mobile applications, cryptocurrency wallets, emails, and browsers alike are all vulnerable to LokiBot. The good news is that LokiBot is far invincible. For example, storing your data in the cloud will be one of the best defense measures that you can make because your data will be stored encrypted, decentralized, and ultimately harder to obtain.

How big of a threat does LokiBot pose?

Even though LokiBot has become much more prominent than it once was, the real question that needs to be asked is: even though it’s common, how big of a threat actually is it?

One of the biggest concerns with LokiBot isn’t just the fact that it can target everything from emails to cryptocurrency wallets, it’s also that it can create a backdoor to allow a hacker to install additional malicious software and steal information. LokiBot also makes use of a very simple codebase that makes it easy for lower level cybercriminals to use. If anything, it’s for this reason that it’s become so widely used.

Furthermore, LokiBot utilizes methods to make it seem like nothing is happening to the users. For example, it may send you a false but seemingly normal notification informing you of a supposedly legitimate transaction and asking you to login to your account. If you were to login, all of your information would be recorded and sent to the server of the hacker. LokiBot is capable of creating very realistic simulations of major apps such as WhatsApp and Outlook that increases the chances of people falling for the scam.

In short, the presence of LokiBot is very dangerous as it is simple to use and highly effective in breaching the privacy of individual users and major entities alike. The good news is that you or your company do not have to be resigned to becoming a victim of LokiBot or any other forms of malware. For example, 78% of online professionals have stated that they believe artificial intelligence-based programs are the key to keeping data safe in the future, so there are numerous innovative defense strategies that are being developed.

But what can you do right now?

What can you do to protect yourself against LokiBot?

Cybersecurity always needs to be one of your top priorities in order to keep your data safe, but it’s become even more critical since the pandemic hit.  Protecting yourself against LokiBot is a two-phase process: firstly, reducing your odds of becoming a victim in the first place, and secondly, knowing how to remove it if you are indeed affected.

Always be extremely cautious when installing software or asked to open an attachment. If the file comes from an unrecognizable source or does not seem particularly relevant, do not open it and delete the email altogether. Installing antivirus software on your computer can help to reduce the chances of falling victim to LokiBot or other forms of malware, but it cannot completely eliminate it.

But what do you do if, despite taking the above precautions, your browser ends up infected with LokiBot anyway? This is a bit of a complex task, and the best strategy is to either let your antivirus programs do it on your own or otherwise take your computer into a cybersecurity professional who you trust.

To get your antivirus software to remove LokiBot, the process may differ depending on the specific program you are using, but the basic procedure is as follows:

  1. Identify the name of the malware that you are attempting to remove to your antivirus program. You can do this by using the task manager on Windows and identifying the suspicious-looking program.
  2. Then, also in Windows, select the Power icon from the Windows logo.
  3. Select “Restart” and then hold down the shift button
  4. Select “Choose An Option”
  5. Select “Troubleshoot”
  6. Select “Advanced Options”
  7. Select “Startup Settings”
  8. Click “Restart”
  9. Click “F5” on the keyboard

The above steps will get your operating system restarted in safe mode. After that, you can extract the archive you’ve downloaded and then run the Autoruns.exe file. Uncheck “Hide Empty Locations” and refresh. This will then provide a list of programs, and you can locate the malware file that you want to get rid of.

After that, you can search for the malware name on your computer, and remove it. Reboot your computer normally, and when your system is restarted the malware should be removed from your computer. If the above actions do not work to remove LokiBot, take in your computer to a trusted professional.


If the rise in LokiBot malware shows anything, it’s that you need to be more prepared than you ever have been to do everything you can to limit the chances of being affected by malware in the first place, and to know how to remove it if you do indeed become a victim.

Malware has become even more of an issue as a result of the ongoing pandemic, and it’s likely it will only get worse in the upcoming months and years.

Share this with others

Tags: malware, lokibot

Get price Free trial