{"id":42527,"date":"2021-08-25T00:00:00","date_gmt":"2021-08-25T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods.html"},"modified":"2021-08-25T00:00:00","modified_gmt":"2021-08-25T00:00:00","slug":"new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/","title":{"rendered":"New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-641.png\"><!-- Begin mPulse library --><!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the exploitation of older vulnerabilities. \"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,endpoints,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2021-08-25\"> <meta property=\"article:tag\" content=\"malware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\"> <title>New Campaign Sees LokiBot Delivered Via Multiple Methods<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\"><br \/>\n<meta property=\"og:title\" content=\"New Campaign Sees LokiBot Delivered Via Multiple Methods\"><br \/>\n<meta property=\"og:description\" content=\"We recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the exploitation of older vulnerabilities. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"New Campaign Sees LokiBot Delivered Via Multiple Methods\"><br \/>\n<meta name=\"twitter:description\" content=\"We recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the exploitation of older vulnerabilities. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.56068133428\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"777529368\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9\">\n<div class=\"article-details\" role=\"heading\" readability=\"38\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">We recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the exploitation of older vulnerabilities. <\/p>\n<p class=\"article-details__author-by\">By: William Gamazo Sanchez, Bin Lin <time class=\"article-details__date\">August 25, 2021<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>We recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the exploitation of older vulnerabilities. This blog entry describes and provides an example of one the methods used in the campaign, as well as a short analysis of the payload. We found that one of the command-and-control (C&amp;C) servers had enabled directory browsing, allowing us to retrieve updated samples.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-1.jpg\" alt=\"Figure 1. C&amp;C server with directory browsing enabled\"><figcaption>Figure 1. C&amp;C server with directory browsing enabled<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"36.824324324324\">\n<div readability=\"19.63963963964\">\n<p>Although none of these techniques are particularly new, we want to build awareness about this campaign and encourage users to patch their systems as soon as possible if they are potentially affected.<\/p>\n<p><span class=\"body-subhead-title\">Analysis of the Adobe PDF malware delivery mechanism<\/span><\/p>\n<p>Some of the delivery methods we found included:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">PDF: Using Open Action Object<\/span><\/li>\n<li><span class=\"rte-red-bullet\">DOCX: Using the Frameset mechanism<\/span><\/li>\n<li><span class=\"rte-red-bullet\">RTF: Exploitation of <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/vulnerabilities-and-exploits\/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild\">CVE-2017-11882<\/a><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Internet Explorer: Exploitation of CVE-2016-0189<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Excel: Using embedded OLE Object and Word documents (With further exploitation of old vulnerabilities)<\/span><\/li>\n<\/ul>\n<p>Let\u2019s take a look at one of the delivery methods, an Adobe PDF document attached to an email masquerading as an order invoice email to fool customers. The PDF file, shown in Figure 2, is named \u201cRevised invoice 2.pdf.\u201d<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-2.jpg\" alt=\"Figure 2. Screenshot of the PDF document sent to the targeted victim\"><figcaption>Figure 2. Screenshot of the PDF document sent to the targeted victim<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>When the document is opened, the user is presented the option to allow or block a connection to a specific host at \u201c192[.]23[.]212[.]137\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-3.jpg\" alt=\"Figure 3. Option presented to the user upon opening the document\"><figcaption>Figure 3. Option presented to the user upon opening the document<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The URL is placed as an action in the PDF \u201cOpenAction\u201d directory, so a web visit is performed when the user opens the document.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-4.jpg\" alt=\"Figure 4. PDF document dictionary\"><figcaption>Figure 4. PDF document dictionary<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>If the user allows access to the site, an HTTP request is sent to the URL http:\/\/198[.]23[.]212[.]137\/document\/pdf_r34567888[.]html. The server responds with a malicious HTML document, shown in Figure 4.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-5-1.jpg\" alt=\"Figure 5. Code snippets from the malicious HTML page returned from server\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-5-2.jpg\" alt=\"Figure 5. Code snippets from the malicious HTML page returned from server\"><figcaption>Figure 5. Code snippets from the malicious HTML page returned from server<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.95695970696\">\n<div readability=\"16.252747252747\">\n<p>The malicious web page exploits a vulnerability identified as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/sg\/threat-encyclopedia\/vulnerability\/9765\/microsoft-internet-explorer-scripting-engine-memory-corruption-vulnerability-cve-2016-0189\">CVE-2016-0189<\/a> to run the embedded PowerShell script.<\/p>\n<p>After deobfuscation, we can see the malware attempts to download the payload from http:\/\/198[.]23[.]212[.]137\/regedit\/reg\/vbc[.]exe.<\/p>\n<p>The payload vbc.exe is a variant of the <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/19\/h\/lokibot-gains-new-persistence-mechanism-uses-steganography-to-hide-its-tracks.html\">LokiBot trojan we first detected in 2019<\/a>. The main purpose of the malware is to steal user credentials from the web browsers, FTP servers, and SMTP clients. It appears to have been compiled recently and uploaded to VirusTotal.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-6.jpg\" alt=\"Figure 6. Compilation timestamp of the malware\"><figcaption>Figure 6. Compilation timestamp of the malware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-7.jpg\" alt=\"Figure 7. Default folders\"><figcaption>Figure 7. Default folders<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods\/lokibot-campaigns-8.jpg\" alt=\"Figure 8. C&amp;C server POST request\"><figcaption>Figure 8. C&amp;C server POST request<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.01038961039\">\n<div readability=\"14.877922077922\">\n<p>This campaign shows that LokiBot and its variants are still being widely used and still use old and reliable techniques such as social engineering and vulnerability exploitation as delivery methods.<\/p>\n<p>Users can protect themselves from campaigns that involve these techniques by observing basic security practices, such as refraining from clicking links and opening attachments in suspicious or unsolicited emails. Organizations and individuals should also update their systems as soon as possible since some of the delivery methods discussed in this blog post use vulnerability exploits.<\/p>\n<p>The following security solutions can also protect users from email-based attacks:<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"918\">\n<tbody readability=\"35\">\n<tr>\n<td width=\"159\" valign=\"bottom\">\n<p>Description<\/p>\n<\/td>\n<td width=\"507\" valign=\"bottom\">\n<p>Hashes\/URLs\/IP Addresses<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Detection Name<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>Revised invoice 2 .pdf<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>c59ac77c8c2f2450c942840031ad72d3bac69b7ebe780049b4e9741c51e001ab<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Trojan.PDF.POWLOAD.AM<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"159\" readability=\"5\">\n<p>2021-08-09_220350.pdf.pdf<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>5a586164674423eb4d58f664c1625c6dfabcd7418048f18d4b0ab0b9df3733eb<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Trojan.PDF.POWLOAD.AM<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>shipment assessment.pdf<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>fb7fe37e263406349b29afb8ee980ca70004ee32ea5e5254b9614a3f8696daca<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Trojan.PDF.POWLOAD.AM<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>LOA.PDF.pdf<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>98983e00b47bcbe9ebbaf5f28ea6cdbf619dd88c91f481b18fec7ffdb68ab741<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Trojan.PDF.POWLOAD.AM<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>Bunker invoice 023.pdf<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>71998bb4882f71a9e09b1eb86bac1e0a0ac75bc4c20ee11373b90173cedc7d0b<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Trojan.PDF.POWLOAD.AM<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"159\" readability=\"5\">\n<p>PO JHS-PO-2108-11425.rar-1.pdf<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>e5d84990d7abd7b65655ac262d3cad346cdaf47f5861bff8b33b8bc755832288<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Trojan.PDF.POWLOAD.AM<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>N\/A<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>2210000d2f877c9fd87efe97605e90549c5d9008a90f9b062a570fc12437e318<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Trojan.W97M.LOKI.AOR<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"159\" readability=\"5\">\n<p>Contract 1459-PO21-15.docx<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>e7a518b83d9f57a4cb8726afc6bb27a15f6e68655552e13b24481df83b9320fb<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Trojan.W97M.LOKI.AOR<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"159\">\n<p>PI I229-I231.xlsx<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>fc5bf62f57c77efa9f9264878f1753a35c27fb44bce7d9a00f8f094315355661<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\" readability=\"5\">\n<p>Trojan.X97M.CVE20180802.AL<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td width=\"159\" readability=\"5\">\n<p>S28BW-421072010440.PDF.xlsx<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>c6aede79cc1608da1e3ed5c8853b1718351429573679d6b847c90c44e48137d4<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\" readability=\"5\">\n<p>Trojan.X97M.CVE20180802.AL<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>64DBB078907CDEB6E<\/p>\n<\/td>\n<td width=\"507\" rowspan=\"2\" readability=\"5\">\n<p>639f6453e961aa33302d34962ccdd29fbc9235b2a0df8b1ac0acc0bb040af7e0<\/p>\n<\/td>\n<td width=\"252\" rowspan=\"2\" valign=\"bottom\">\n<p>Trojan.W97M.LOKI.AOT<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"159\">\n<p>76CE5B8A21BB98A.mlw<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"159\">\n<p>PO20-003609.xlsx<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>b1b0045f890afd14b4168b4fc0017ac39c281fe5eee66d3c9523040e63220eb4<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\" readability=\"5\">\n<p>Trojan.X97M.CVE201711882.XQUOOYI<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"159\">\n<p>rwer.wbk<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>3798eb011f5d8ee7f41e3666dac7fac279cf670ad4af4060aaef33a7def3c6f7<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\" readability=\"5\">\n<p>Trojan.W97M.CVE201711882.XAAAAEG<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>pdf_r34567888.html<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>45f1b4b0a627f1a2072818d00456dc4fc6607edf9a1a1c484f04f800d25b93d2<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Trojan.HTML.POWLOAD.EQ<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>pdf_rg234999233.html<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>da56c38fad7c2ee8e829aea9bd3c4b523ea0b65e935805d68df12c7a28e5d5dd<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Trojan.HTML.POWLOAD.EQ<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"159\">\n<p>vbc.exe<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>d8bb1bb8587840321e74cf2ab2f3596344cbb5ffeb77060bd9aade848fed03fd<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\" readability=\"5\">\n<p>TrojanSpy.Win32.LOKI.PUHBAZCLQR<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"159\">\n<p>vbc.exe<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>9f66135d831d5ba4972ba5db9e0fd4515dfaecc92013a741679d6cddbe29ab25<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\" readability=\"5\">\n<p>TrojanSpy.Win32.LOKI.PUHBAZCLQR<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"159\">\n<p>vbc.exe<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>324d549fb7b9999aa0e6fb8a6824f7a05fe5f1f21d76fb2d360cb34c56eb1995<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\" readability=\"5\">\n<p>TrojanSpy.Win32.LOKI.PUHBAZCLQR<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"159\">\n<p>vbc.exe<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>ca155beb7d28cde5147eba7907c453d433b7675ba1830e87d5a4e409b5b912e1<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\" readability=\"5\">\n<p>TrojanSpy.Win32.LOKI.PUHBAZCLQR<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>URL<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>http:\/\/198[.]23[.]212[.]137\/document\/pdf_document_s233322[.]html<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Phishing<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>URL<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>http:\/\/198[.]23[.]212[.]137\/document\/pdf_document_sw211222[.]html<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Disease Vector<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"159\">\n<p>URL<\/p>\n<\/td>\n<td width=\"507\">\n<p>https:\/\/ulvis[.]net\/Q4gl<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Disease Vector<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"159\">\n<p>URL<\/p>\n<\/td>\n<td width=\"507\">\n<p>https:\/\/ulvis[.]net\/Q4km<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Disease Vector<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>URL<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>http:\/\/198[.]23[.]212[.]137\/document\/pdf_rg234999233[.]html<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Disease Vector<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"159\">\n<p>URL<\/p>\n<\/td>\n<td width=\"507\" readability=\"5\">\n<p>http:\/\/198[.]23[.]212[.]137\/document\/pdf_r34567888[.]html<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>Disease Vector<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"159\">\n<p>C&amp;C IP Address<\/p>\n<\/td>\n<td width=\"507\">\n<p>198[.]23[.]212[.]137<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>C&amp;C Server<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"159\">\n<p>C&amp;C IP Address<\/p>\n<\/td>\n<td width=\"507\">\n<p>104[.]21[.]62[.]89<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>C&amp;C Server<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"159\">\n<p>C&amp;C IP Address<\/p>\n<\/td>\n<td width=\"507\">\n<p>104[.]21[.]71[.]169<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>C&amp;C Server<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"159\">\n<p>C&amp;C IP Address<\/p>\n<\/td>\n<td width=\"507\">\n<p>185[.]227[.]139[.]5<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>C&amp;C Server<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"159\">\n<p>C&amp;C IP Address<\/p>\n<\/td>\n<td width=\"507\">\n<p>46[.]173[.]214[.]209<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>C&amp;C Server<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"159\">\n<p>C&amp;C IP Address<\/p>\n<\/td>\n<td width=\"507\">\n<p>192[.]227[.]228[.]106<\/p>\n<\/td>\n<td width=\"252\" valign=\"bottom\">\n<p>C&amp;C Server<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/new-campaign-sees-lokibot-delivered-via-multiple-methods.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the exploitation of older vulnerabilities. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":42528,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9509],"class_list":["post-42527","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-25T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"709\" \/>\n\t<meta property=\"og:image:height\" content=\"378\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher\",\"datePublished\":\"2021-08-25T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/\"},\"wordCount\":1120,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/\",\"name\":\"New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher.jpg\",\"datePublished\":\"2021-08-25T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher.jpg\",\"width\":709,\"height\":378},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/","og_locale":"en_US","og_type":"article","og_title":"New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-08-25T00:00:00+00:00","og_image":[{"width":709,"height":378,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher","datePublished":"2021-08-25T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/"},"wordCount":1120,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/","url":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/","name":"New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher.jpg","datePublished":"2021-08-25T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher.jpg","width":709,"height":378},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/new-campaign-sees-lokibot-delivered-via-multiple-methods-sr-threat-researcher-sr-threat-researcher\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"New Campaign Sees LokiBot Delivered Via Multiple Methods Sr. Threat Researcher Sr. Threat Researcher"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42527"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42527\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42528"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}