• WRAVEN
  • Posts
  • WRAVEN Threat Report -Loki C2

WRAVEN Threat Report -Loki C2

How Malware Can Hide Inside Trusted Apps

AuthorAuthor

WRAVEN Team & Elijah Steinman
April 17, 2025

Think of the classic metaphor “wolf in sheep’s clothing” - that is kind of what Loki C2, a new threat that can sneak onto systems by hiding within software you normally would trust!

Computer security is like a constant cat-and-mouse game. The good guys build defenses, and the bad guys try to find ways around them. One common defense is trusting software that has a digital "seal of approval," showing it's from a legitimate source and hasn't been tampered with. But clever attackers are now finding ways to misuse this trust.

Loki C2 is a penetration testing tool made by Bobby Cooke (boku7) Adversary Simulation @ IBM X-Force Red. Loki C2 is a tool designed to bypass security checks in antiviruses by exploiting the implicit trust we place in digitally signed applications, like popular programs from well-known companies. Information about the tool comes from security experts at IBM’s X-Force, who created  the tool and analyzed the vulnerabilities associated with this threat.

Background: Why We Trust Apps and How LokiC2 Exploits it

Many desktop apps today are built using web technology (like websites) thanks to frameworks like Electron[2]. Think of apps you may use like Slack, Discord, Microsoft Teams, Cursor, VSCode, and many more.

To make sure software is safe, developers often use Code Signing. This is like a digital wax seal on a letter or the seal on. It tells your computer or antivirus, “This software really came from [Company Name] and hasn’t been messed with since it was sealed.” Operating systems like Windows often trust these “sealed” apps, letting them run with fewer restrictions[2]. This is usually a good thing!

But here’s the catch: Loki C2 found a way to tamper with the contents of an app after it’s been installed, without breaking that digital seal [2].

The Trick: Hollowing Out a Trusted App

Loki C2 uses a method that security folks call “hollowing out” [3]. In the case studied, it targeted Microsoft Teams:

  1. The attacker takes the bad code (Loki C2 agent) [3].

  2. They find the installed Microsoft Teams app on the computer and delete some of its internal code files [3].

  3. They paste  the bad Loki C2 code into the folder where the original Microsoft Teams code used to be [3].

Here’s the “sneaky” part: The main Teams program file (the .exe file with the digital seal) is left untouched [3]. When you launch Teams:

  • Windows checks the main file’s seal, sees it’s valid (signed by Microsoft), and says, “Okay, this looks trustworthy, let it run!” [3].

  • But instead of running the real Teams code, the program now runs the attacker’s hidden Loki C2 code [3].

Because the bad code is written in JavaScript (like web code) and runs inside the trusted Teams process, it avoids many security alarms that might trigger if it were a separate suspicious program or file [2,3].

What Can Loki C2 Do?

Once running, Loki C2 gives the attacker control over the infected computer. It can [2]:

  • Upload and download files (steal your data or drop more malware).

  • See what files are on your computer.

  • Read the contents of your files.

  • Run commands secretly in the background.

  • Load extra tools it needs to do more harm [2].

Is This the Same as Other ‘Loki’ Viruses?

If you have been following cybersecurity news you may have heard of other viruses named ‘Loki’. It’s important to know that this Loki C2 is different:

  1. MLoki: Another tool used by hackers, often spread through fake emails (phishing) [4,5]. It focuses on giving attackers deep control after they’ve already broken in[5].

  2. LokiBot: An older virus mainly designed to steal passwords and other sensitive information [6,7]. It also often spreads through phishing emails [7,8]/

Loki C2 (the one we’re discussing) is unique because its main trick is abusing the trust in signed Electron apps to bypass security defenses like WDAC (a Windows security feature).

Feature

Loki C2 (This one)

MLoki

LokiBot

Main Goal

Remote Control

Deeper Hacking

Stealing Info (Passwords, etc.)

How it Spreads

Exploits Installed Signed Apps

Phishing Emails

Phishing Emails, Bad Websites

Key Trick

"Hollowing Out" Signed Apps

Memory Tricks, Hiding Code

Keylogging, Hiding in Processes

Discovery Source

IBM X-Force

Kaspersky

Various Security Researchers

Why Is This Risky?

Loki C2 is dangerous because:

  • It can lead to data theft, spying, and full computer takeover [3].

  • It’s hard to detect because the malicious activity seems to come from a trusted app [3].

  • It could potentially be used in supply chain attacks (infecting software before you even download it) [2].

  • It shows that just checking the digital “seal” isn’t always enough to guarantee safety.

How to Spot Trouble & Stay Safe

Detecting threats like Loki C2 is tricky, even for professionals. It requires looking beyond simple virus scans:

  • Watch for Weird Behavior: Is your computer suddenly slow? Are programs crashing? Are there unexpected pop-ups or network activity? These could be signs of infection (though they can have other causes too).

  • Security Software: Good, up-to-date security software (antivirus/endpoint protection) often includes "behavior monitoring" that looks for suspicious actions rather than just known bad files [11, 14].

  • File Monitoring: Security tools can also watch for unexpected changes to important program files [12, 13].

Here are steps everyone can take to reduce the risk:

  • Keep Software Updated: Updates often fix security holes that malware like this might exploit [12]. This includes Windows, your browser, and your applications.

  • Be Careful What You Install: Only install software from trusted sources. Even then, be cautious.

  • Use Strong Security Software: Install reputable antivirus/anti-malware software and keep it updated.

  • Check Security Settings: Ensure your operating system's built-in security features are enabled.

  • User Awareness: Be suspicious of unexpected emails or links asking you to download or run software.

Loki C2 is a reminder that cyber threats are always evolving. Attackers are constantly finding clever ways to bypass defenses, even by hiding inside things we trust. Staying safe requires vigilance, keeping our systems updated, using robust security tools, and being cautious about the software we run. It's a joint effort between users, software developers, and security professionals to stay one step ahead.

References

  1. https://github.com/boku7/Loki?tab=readme-ov-file

  2. Bypassing Windows Defender Application Control with Loki C2 | IBM X-Force - https://www.ibm.com/think/x-force/bypassing-windows-defender-application-control-loki-c2

  3. Bypassing Windows Defender Application Control with Loki C2 - Security Intelligence - https://securityintelligence.com/x-force/bypassing-windows-defender-application-control-loki-c2/

  4. Dangerous Loki backdoor discovered: Kaspersky experts identify agent in Russian company cyberattacks - https://www.kaspersky.com/about/press-releases/dangerous-loki-backdoor-discovered-kaspersky-experts-identify-agent-in-russian-company-cyberattacks

  5. Loki: a new private agent for the popular Mythic framework - Securelist - https://securelist.com/loki-agent-for-mythic/113596/

  6. The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page - https://thehackernews.com/search?updated-max=2023-07-17T16:25:00%2B05:30&max-results=9&start=45&by-date=false&m=1 (Context for LokiBot timeline)

  7. 202309291200_LokiBot Malware Analyst Note_TLPCLEAR - HHS.gov - https://www.hhs.gov/sites/default/files/lokibot-malware-analyst-note-tlpclear.pdf

  8. LokiBot Phishing Malware Baseline - Cofense - https://cofense.com/blog/lokibot-phishing-malware-baseline/

  9. System Binary Proxy Execution: Electron Applications, Sub-technique T1218.015 - MITRE ATT&CK - https://attack.mitre.org/techniques/T1218/015/

  10. Electron apps - trust them? - Privacy Guides Community - https://discuss.privacyguides.net/t/electron-apps-trust-them/12753

  11. What is Behavior Monitoring? Methods & Strategies - SentinelOne - https://www.sentinelone.com/cybersecurity-101/cybersecurity/what-is-behavior-monitoring/

  12. Security | Electron - https://electronjs.org/docs/latest/tutorial/security

  13. Rise of Inspectron: Automated Black-box Auditing of Cross-platform Electron Apps - USENIX - https://www.usenix.org/system/files/sec24summer-prepub-120-ali.pdf

  14. Labs Team Uncovers Abuse of WDAC in the Wild to Disable EDR - Beazley Security - https://beazley.security/insights/labs-team-uncovers-novel-abuse-of-wdac-to-disable-commercial-edr-products