Menu
Browse

Cyber Threat Actor: Lokistov

Actor Type Location Known Incidents
 Icon
Criminal
1 incident
Profile

The threat actor known by the alias Lokistov has been observed in a limited number of publicly reported incidents, with the alias appearing in connection to a LokiBot information‑stealer campaign. Beyond the alias, no additional names or alternate handles have been disclosed in open sources. The actor’s public footprint is confined to a single documented operation that took place in August 2019. This sparse record prevents any broader characterization of the actor’s size, structure, or long‑term goals.

In the documented incident, Lokistov targeted a United States‑based manufacturing firm, indicating a focus on the industrial sector within North America. The operation’s primary objective was financial gain, as the deployed LokiBot malware is designed to harvest credentials from browsers, email clients, administrative tools and cryptocurrency wallets for subsequent monetization. The campaign was described as low‑volume and highly targeted, suggesting the actor preferred precision over broad‑scale spraying. Linguistic inconsistencies noted in the phishing messages have been interpreted as evidence of non‑native English authorship, though no further language attribution is provided.

The actor’s tactics, techniques and procedures observed in this campaign relied on malspam as the initial access vector, with emails sent to sales addresses that pretended to be urgent quotation requests from a compromised trusted sender IP address previously linked to other intrusions. The malicious payload arrived as a compressed archive masquerading as a game executable, which upon opening installed LokiBot; this variant notably omitted the steganography techniques seen in earlier LokiBot versions. Infrastructure reused from earlier attacks, including those against a German bakery, was leveraged to host or relay the malicious content, demonstrating a pattern of recycling existing assets. No public statements have tied Lokistov to a state sponsor, criminal consortium or any larger affiliation, leaving its allegiance undetermined.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources