Also known as: Lokibot, Loki-bot, Loki Android Trojan, Loki Password Stealer
Platform: Windows, Android
Variants: LokiBot+Stealer, LokiPWS, LokiBot Android
Damage potential: Stolen credentials, stolen crypto wallet funds, data theft, opening backdoors for other malware (like ransomware), showing malicious ads
LokiBot is a widespread trojan that primarily aims to steal credentials and other information from Windows or Android devices, forwarding the data to remote servers operated by the attacker. LokiBot can also function as a keylogger and give attackers backdoor access to load other malware (typically ransomware) to the infected device. Authentic and cracked versions of the LokiBot malware can be purchased on dark web marketplaces.
LokiBot operates in a way designed to not arouse suspicion, so there are few clear signs of infection. One possible giveaway is receiving notifications about transactions or events that you are not expecting — LokiBot often tries to generate realistic-looking fake notifications for popular apps to lure victims into entering their credentials.
Other possible indicators of a LokiBot infection include:
- Your device frequently freezes or stutters.
- Your device’s fan seems to be constantly on, even when the device is idle.
- Your device periodically sends data to unknown remote servers (LokiBot is uploading victim information to its handlers).
Sources of the infection
LokiBot is most often spread by spear phishing email messages deliberately targeting the victim. These messages typically claim to contain bills or invoices to prompt the victim into opening the attachment, which then infects the device. Any file, including compressed executables and MS Office documents, may act as a carrier for LokiBot.
Your device may also get infected with LokiBot from:
Infected files shared through messaging platforms or SMS.
Infected files downloaded from cloud storage or online repositories.
Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
Peer-to-peer (P2P) sharing of infected files.
Infected external devices, such as hard drives or USB sticks.
Because LokiBot is typically spread through infected email attachments, forming good email habits goes a long way to protect you from infection. Learn to recognize phishing attempts and avoid clicking on unexpected or odd attachments.
Other protective measures include:
Use email scanning tools to identify and automatically block messages with suspicious attachments.
Keep software up to date to prevent LokiBot from exploiting any discovered vulnerabilities.
Use reliable antivirus software to detect, quarantine, and eliminate a LokiBot infection.
Use multi-factor authentication to protect your accounts in the event that someone steals your password using LokiBot.
Avoid potentially dangerous websites, like dark web pages or torrent repositories. These websites may attempt to install malware (including LokiBot) on your device as soon as you open them.
Use NordVPN’s Threat Protection to scan programs and files for malware while they’re being downloaded. Threat Protection will also alert you if you’re about to enter a known infected website to prevent drive-by download attacks.
LokiBot is a well-known trojan, so most reputable antivirus solutions can help you detect and remove the infection from your device. You should not try to remove LokiBot manually — doing so improperly can cause LokiBot to lock your device and encrypt your data.