Researchers Trace Loki Backdoor To Mythic Framework
In July 2024, security researchers identified a new backdoor named Loki, which they linked to the Mythic framework, an open-source tool originally developed for red teaming purposes. The Loki backdoor was involved in targeted attacks against Russian companies in various sectors, such as engineering and healthcare. Distributed via email, the malware prompted users to launch it themselves. The attackers customized their approach using publicly available utilities like gTunnel, ngrok, and goReflect for traffic tunneling and modification. Loki is compatible with the Havoc framework and employs techniques to hinder analysis, such as encrypting its memory image and using indirect system API calls. The loader for Loki sends encrypted system information to a command-and-control server and receives a DLL for further operations. Researchers noted two versions of the loader with slight differences. Despite the detailed analysis, the researchers could not attribute Loki to any known group due to the tailored nature of the attacks and lack of unique tools. The case exemplifies the dual-use nature of open-source security frameworks, which, while beneficial for legitimate security testing, are also co-opted by cybercriminals for malicious purposes. Malware: LokiPasswordStealer, LokiBot, Loki, Kryptik [View Article](https://osintcorp.net/researchers-trace-loki-backdoor-to-mythic-framework/)