Seeing some changes to Lokibot with this malware delivery campaign overnight. I don’t know if it is a complete change to the C2 url naming convention or whether it is only this particular actor using a different C2 url naming convention. Generally with Lokibot the quickest & easiest way to identify it, is the “fre.php” in the C2 URL. Today we are seeing “cat.php”. The delivery email with the subject of Request For Invoice pretending to come from sales@kumarequipment.net with a malicious word doc attachment that contains an RTF exploit is typical of common malware delivery methods that is currently being used … Continue reading →