New Phishing Campaign Delivers LokiBot Malware Through Microsoft Word Vulnerabilities


In a startling revelation, cybersecurity experts have uncovered a sophisticated phishing campaign that employs cunning tactics to drop the notorious LokiBot malware onto compromised systems. This malware, a seasoned information-stealing Trojan dating back to 2015, has recently resurfaced with a renewed vigor, targeting Windows systems and meticulously extracting sensitive information from infected machines.

Exploiting Weaknesses for Maximum Impact

The cyberattacks were detected by Fortinet FortiGuard Labs researchers in May 2023 and have raised significant concerns in the cybersecurity landscape. The attackers are leveraging two known remote code execution vulnerabilities, namely CVE-2021-40444 and CVE-2022-30190 (also known as Follina), to execute their malicious code with alarming precision.

The Intricate Web of Intrusion

In one attack vector, the threat actors ingeniously embed an external GoFile link within an XML file housed within a Microsoft Word document. This link, when accessed, leads to the download of an HTML file, which in turn capitalizes on the Follina vulnerability to retrieve the next-stage payload. This payload is an injector module written in Visual Basic, designed to decrypt and launch the LokiBot malware.

This injector module doesn’t just stop at its malicious functions—it incorporates evasion mechanisms that meticulously scrutinize its surroundings. It intelligently detects the presence of debuggers and actively determines if it’s operating within a virtualized environment, further highlighting the sophistication of the attack.

An Alarming Twist in the Tale

However, the plot thickens with another variant of the attack discovered towards the end of May. Here, the attackers utilize a Microsoft Word document with a VBA script that immediately executes a macro upon opening the document. This “Auto_Open” and “Document_Open” combination is a perfect ruse to trigger the payload. The macro acts as an intermediary, connecting to a remote server to fetch an interim payload. This interim payload, acting as an injector itself, then proceeds to deliver the LokiBot malware. Additionally, this malware establishes a connection to a command-and-control (C2) server, creating an intricate web of malicious communication.

LokiBot: A Silent Menace

LokiBot, distinct from an Android banking trojan by the same name, brings some new potent capabilities to the table. It possesses the sinister ability to record keystrokes, capture screenshots, and stealthily gather login credentials from various web browsers. The malware doesn’t stop there—it’s also well-equipped to siphon valuable data from an array of cryptocurrency wallets, adding a financially motivated layer to its already menacing profile.

Cara Lin, a researcher at Fortinet FortiGuard Labs, emphasized the evolving nature of LokiBot. She pointed out that the malware’s functionalities have matured over the years, making it an attractive choice for cybercriminals seeking to extract sensitive data from unsuspecting victims. The attackers, Lin noted, continually refine their strategies, ensuring that their malware campaign adapts and thrives by discovering new and efficient ways to infiltrate systems.


The emergence of this advanced phishing campaign serves as a stark reminder of the ever-evolving landscape of cyber threats. The fusion of cunningly exploited vulnerabilities and a resilient malware like LokiBot highlights the pressing need for organizations and individuals alike to remain vigilant and prioritize advanced cybersecurity measures. As the battle between cybercriminals and defenders continues to escalate, it’s imperative to stay informed and fortified against the silent menace that is LokiBot.

Continue to chat
Hello 👋
Let us know how we can help you!