Skip to content

The trojan malware known as LokiBot or Loki PWS has been identified as a significant threat primarily targeting Windows operating systems. Recent reports indicate that this malware has been disseminated through Microsoft Word files, utilising remote code execution techniques to exploit known vulnerabilities present within the software.

The primary objective of these Word documents is to secretly download an enclosed XML file, which subsequently initiates the delivery of an HTML file. This HTML file, in turn, exploits the Word vulnerabilities, ultimately facilitating the deployment of the LokiBot injector, which is based on the Visual Basic programming language. Security researchers have also uncovered a second attack chain that launches a Visual Basic script and macro upon opening the document.

The intended purpose of this malicious campaign is to collect sensitive information from the infected machines secretively. Given these developments, it is essential to exercise utmost caution when handling Word files, especially from unfamiliar sources, to mitigate the risk of falling victim to this harmful malware.

Figure 1 – Graphic showing recently discovered LokiBot delivery methods. Source:

LokiBot is equipped with a range of harmful functionalities, including keylogging, screen capturing, data harvesting, and authentication theft. These capabilities illustrate the malicious nature of the trojan and emphasise the importance of exercising caution when handling email attachments and similar files.

Moreover, researchers have observed that once the malware is delivered, it employs obscure techniques to evade user and antivirus software detection. As such, it is crucial to remain vigilant and take necessary precautions to protect against this sophisticated threat.

Figure 2 – Example of a LokiBot phishing email. Note the spelling error and suspicious file name. Source:

There are a few ways in which you can help reduce the possibility of being infected by malware like Lokibot:

  • Exercise caution when opening and downloading Office documents from an email or the internet, primarily if they are from unfamiliar sources and/or contain external links.
  • Always verify domain names and email addresses to help prevent phishing attempts from luring the user into clicking/downloading harmful links. Double-checking the legitimacy of URLs, you click on is one of the most effective ways of preventing infection.
  • Have antivirus and email filtering enabled to help in detecting these threats early. 
  • Update software and operating systems as soon as patches are released, as these may have fixes for the vulnerabilities that LokiBot and its delivery methods exploit.
  • Implement two-factor authentication (2FA), as this makes it harder for LokiBot to gain access to your account if it manages to steal your username/password credentials.
  • Disable macros in Microsoft Word unless necessary and from trusted sources to minimise the risk of spreading through specific delivery methods. Details of how to do this can be found here.

If you receive a phishing message via email or text, you can report them to the National Cyber Security Centre’s phishing report system

You can find advice on phishing scams, how to spot phishing attacks, and how to report them below:

Related Links