Mandiant cybersecurity experts: The APT (aka UNC2452) also shows two distinct clusters of activity, UNC3004 and UNC2652.
Technical analysis by the Malware Hunter JAMESWT
Lokibot is now also conveyed through artwork. The email xlsx attachment contacts a single link from which an exe is downloaded and executed: the malware
A fake email about the alleged purchase of an artwork conveys the latest Lokibot campaign.
The message xlsx attachment contacts a single link from which it downloads and runs an exe file: malware.
The goal of the cybercrime behind the operation is to steal sensitive information from the victim. Lokibot (aka Loki PWS and Loki-bot) is an information — stealer, which acquires credentials, cryptocurrency wallets, and other types of data.