LokiBot is a banking Trojan, crypto-miner and info-stealer, with versions running on both Windows and Android operating systems. The malware can also transform in to ransomware on mobile devices, if victims try to remove it from the device.

LokiBot flaunts strong development and many unique features, getting named one of the “Top Malware Threats of 2018,” also gaining a spot-on Check Point’s monthly “Most Wanted Malware” lists several times in the past year. Capabilities include stealing various types of passwords from browsers, cryptocurrency wallets, FTP servers, email clients and IT administration tools, such as PuTTY. In addition, Android LokiBot can deploy overlay attacks on banking applications as well as applications such as WhatsApp, Skype and Outlook, read SMS messages, and use an infected device to send messages, enabling the malware to spread and infect others.

If a victim attempts to remove the malware from their mobile device, LokiBot’s ransomware feature will revoke admin rights, encrypt the victim’s files and ask for a ransom.

Recently, we have seen yet another surge in the volume of LokiBot samples and indicators, with many malspam campaigns targeting windows-running machines. In this blog post, we will review the LokiBot campaigns of 2019 so far:

Lokibot Timeline


ThreatSTOP users are protected against LokiBot in our TS Originated - Core Threats - IPs and TS Originated - Core Threats - Domains targets.


 Want to be protected from LokiBot and other malware threats? Request a demo or try us out, 14 days, for free.

Learn More