Understanding LokiBot Through Network Traffic Analysis
“How to Spot LokiBot’s Credential Theft in Plaintext Traffic
LokiBot is a long‑running credential‑stealing trojan designed to harvest usernames, passwords, browser data, and cryptocurrency wallets. First appearing in 2016 and attributed to a developer known as “lokistov” or “Carter,” it quickly became popular in criminal markets due to its simplicity, low cost, and effectiveness.
Over time, LokiBot evolved:
Variants targeting Android devices appeared, some capable of escalating to root privileges.
A 2017 strain added a ransomware fallback that triggered if the victim attempted to remove the malware.
It became a common payload in COVID‑19–themed phishing campaigns, maintaining its position as one of the most frequently observed commodity malware families.
Despite its age, LokiBot remains active because its communication patterns are simple, lightweight, and easy for attackers to deploy.
How LokiBot Reaches the Wire
Once a host is infected—typically through phishing attachments, malicious documents, or disguised executables—the malware immediately attempts to exfiltrate data.
The pattern is consistent:
The infected machine sends a small binary blob via HTTP POST.
The destination is usually a random folder path ending in a PHP file on the attacker’s command‑and‑control (C2) server.
The communication is unencrypted, making it ideal for learning malware traffic analysis.
This predictable behavior makes LokiBot a great case study for building intuition in Wireshark.
Identifying LokiBot in Wireshark
Filtering down to web traffic is the fastest way to isolate LokiBot’s activity. A simple expression such as:
(http.request or tls.handshake.type eq 1) and !(ssdp)
removes noise and highlights HTTP/S communication. In many LokiBot samples, you’ll see repeated requests to the same IP‑based URL rather than a domain—an early indicator of commodity malware infrastructure.
Signal #1: Repeated POST Requests to a Suspicious PHP Path
LokiBot almost always communicates with a PHP script on the attacker’s server. The folder names are random, but the structure is consistent:
Seeing repeated POSTs to a PHP file—especially on an IP address instead of a domain—is a strong behavioral signature.
Signal #2: Inspecting the HTTP Stream
Following the HTTP stream reveals the full request/response pair. Several LokiBot traits stand out immediately:
POST to a random folder + PHP file
This is the malware sending stolen data or performing its initial check‑in.Outdated User‑Agent
LokiBot consistently uses fake legacy strings such as:
Mozilla/4.08 (Charon; Inferno)
Modern browsers never use this, making it a reliable indicator.Encoded or binary payload
Legitimate web traffic rarely sends opaque binary blobs in a POST body to a PHP script. LokiBot’s payload often contains encoded credential dumps.C2 reputation checks
Many LokiBot C2 servers appear in threat intelligence feeds such as ThreatFox. If the IP or domain is malicious, it will often be flagged.Suspicious server response
LokiBot C2 servers frequently return a404 Not Foundeven after receiving data.
A real web server would not accept a POST body and then respond with a 404.
This is a deliberate evasion technique to appear benign in logs.
These signals combine into a recognizable pattern: small, repetitive POSTs, outdated headers, encoded payloads, and deceptive server responses.
Why This Matters for Analysts
LokiBot is one of the best malware families for building intuition in network forensics because:
Its traffic is unencrypted and easy to inspect.
Its behavior is consistent across variants.
It uses simple HTTP patterns that stand out once you know what to look for.
It teaches analysts how to spot automation versus human browsing behavior.
It reinforces the value of correlating headers, payload structure, and server responses.
For anyone learning malware traffic analysis, LokiBot is a perfect starting point: predictable enough to understand, but realistic enough to build real-world skills.
