Lokibot campaigns continue with some changes to C2 urls

Seeing some changes to Lokibot with this malware delivery campaign overnight.  I don’t know if it is  a complete change to the C2 url naming convention or whether it is only this particular actor using a different C2 url naming convention. Generally with Lokibot the quickest & easiest way to identify it, is the “fre.php” in the C2 URL.  Today we are seeing “cat.php”. The delivery email with the subject of Request For Invoice pretending to come from [email protected]  with a malicious word doc  attachment  that contains an RTF exploit is typical of common malware delivery methods that is currently being used … Continue reading →

Article Link: https://myonlinesecurity.co.uk/lokibot-campaigns-continue-with-some-changes-to-c2-urls/