{"id":6411,"date":"2021-06-15T11:39:35","date_gmt":"2021-06-15T18:39:35","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6411"},"modified":"2024-04-26T13:20:38","modified_gmt":"2024-04-26T20:20:38","slug":"spoofed-shipping-company-emails-deliver-lokibot-infostealer","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/","title":{"rendered":"Spoofed Shipping Company Emails Deliver LokiBot Infostealer"},"content":{"rendered":"<h3><strong>Author: Christopher Kim<\/strong><\/h3>\n<h3><strong>TLP: WHITE<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<h3>Overview<\/h3>\n<p>On 9 June, Infoblox discovered a malspam campaign that impersonated a shipping logistics business and distributed the LokiBot infostealer. Over time, many LokiBot campaigns have used shipping-themed messages to lure users into opening weaponized documents that download the malware.<sup>1<\/sup><sup>,<\/sup><sup>2<\/sup><\/p>\n<h3>Customer Impact<\/h3>\n<p>LokiBot is a commodity malware commonly sold on the dark web. This infostealer is a hybrid malware that can attack both Android and Windows operating systems. Threat actors typically distribute the malware via spam emails, private message applications, such as Skype, and malicious websites. LokiBot has built-in capabilities for tracking users\u2019 activities by recording keystrokes with a keylogger, as well as stealing the following types of data:<\/p>\n<ul>\n<li>passwords and login credentials from web browsers,<\/li>\n<li>private keys from cryptocurrency wallets, and<\/li>\n<li>data from mobile banking applications and communication apps.<strong>\u00a0<\/strong><\/li>\n<\/ul>\n<h3>Campaign Analysis<\/h3>\n<p>Threat actors used InMotion Hosting email servers and the compromised email account <em>xiaohui@euroswift[.]sg<\/em> to send all the emails in this campaign. All emails had the subject <em>VSL: MV Hyundai Integral, ORDER: TSA-A090621B<\/em> and lured recipients into opening the attached document to bid for the container ship Hyundai Integral. The email message included a signature crafted to appear as if it came from an employee at Dolphin Logistics, a legitimate cargo agent based in Thailand.<\/p>\n<h3>Attack Chain<\/h3>\n<p>When the victim opens the Microsoft Office Open XML email attachment named MV Hyundai Integral.docx, the file exploits the CVE-2017-11882<sup>3<\/sup> Stack Overflow vulnerability in Equation Editor (<em>EQNEDT32.EXE<\/em>) to download LokiBot malware. Equation Editor then writes the file to C:\\Users\\Public\\vbc.exe and executes it.<\/p>\n<p>LokiBot writes itself to C:\\Users\\admin\\AppData\\Roaming\\F63AAA\\A71D80.exe and then steals credentials from the victim\u2019s web browser by reading from C:\\Users\\admin\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini. Finally, it sends stolen data to its command and control (C&#038;C).<\/p>\n<h3>Vulnerabilities &#038; Mitigation<\/h3>\n<p>Infoblox recommends the following actions to reduce the risk of this type of infection: <\/p>\n<ul>\n<li>Keep antivirus signatures and engines updated.<\/li>\n<li>Turn on automatic updates for the operating system to receive the latest security patches.<\/li>\n<li>Exercise caution when opening email attachments, especially if they come from an unknown sender.<\/li>\n<li>Subscribe to a comprehensive threat intelligence feed to strengthen firewalls.<\/li>\n<li>Enable two factor authentication on services (e.g. banking app) that show sensitive information.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-127.jpg\" alt=\"\" width=\"616\" height=\"726\" class=\"aligncenter size-full wp-image-6540\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-127.jpg 616w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-127-255x300.jpg 255w\" sizes=\"auto, (max-width: 616px) 100vw, 616px\" \/><\/p>\n<p><strong>Endnotes<\/strong><\/p>\n<ol>\n<li><a href=\"https:\/\/insights.infoblox.com\/threat-intelligence-reports\/threat-intelligence--62\">https:\/\/insights.infoblox.com\/threat-intelligence-reports\/threat-intelligence&#8211;62<\/a><\/li>\n<li><a href=\"https:\/\/www.infoblox.com\/wp-content\/uploads\/threat-intelligence-report-lokibot-campaign-uses-microsoft-office-exploit.pdf\">https:\/\/www.infoblox.com\/wp-content\/uploads\/threat-intelligence-report-lokibot-campaign-uses-microsoft-office-exploit.pdf<\/a><\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-11882\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-11882<\/a><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Author: Christopher Kim TLP: WHITE &nbsp; Overview On 9 June, Infoblox discovered a malspam campaign that impersonated a shipping logistics business and distributed the LokiBot infostealer. Over time, many LokiBot campaigns have used shipping-themed messages to lure users into opening weaponized documents that download the malware.1,2 Customer Impact LokiBot is a commodity malware commonly sold [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6715,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[553],"tags":[299,382,294],"class_list":{"0":"post-6411","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-campaign-briefs","8":"tag-infostealer","9":"tag-lokibot","10":"tag-malspam","11":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Spoofed Shipping Company Emails Deliver LokiBot Infostealer<\/title>\n<meta name=\"description\" content=\"Spoofed Shipping Company Emails Deliver LokiBot Infostealer. On 9 June, Infoblox discovered a malspam campaign that impersonated a shipping logistics business and distributed the LokiBot infostealer. Over time, many LokiBot campaigns have used shipping-themed messages to lure users into opening weaponized documents that download the malware.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Spoofed Shipping Company Emails Deliver LokiBot Infostealer\" \/>\n<meta property=\"og:description\" content=\"Spoofed Shipping Company Emails Deliver LokiBot Infostealer. On 9 June, Infoblox discovered a malspam campaign that impersonated a shipping logistics business and distributed the LokiBot infostealer. Over time, many LokiBot campaigns have used shipping-themed messages to lure users into opening weaponized documents that download the malware.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-15T18:39:35+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-18.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"424\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Spoofed Shipping Company Emails Deliver LokiBot Infostealer\",\"datePublished\":\"2021-06-15T18:39:35+00:00\",\"dateModified\":\"2024-04-26T20:20:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/\"},\"wordCount\":419,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-18.jpg\",\"keywords\":[\"infostealer\",\"lokibot\",\"Malspam\"],\"articleSection\":[\"Cyber Campaign Briefs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/\",\"name\":\"Spoofed Shipping Company Emails Deliver LokiBot Infostealer\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-18.jpg\",\"datePublished\":\"2021-06-15T18:39:35+00:00\",\"dateModified\":\"2024-04-26T20:20:38+00:00\",\"description\":\"Spoofed Shipping Company Emails Deliver LokiBot Infostealer. On 9 June, Infoblox discovered a malspam campaign that impersonated a shipping logistics business and distributed the LokiBot infostealer. Over time, many LokiBot campaigns have used shipping-themed messages to lure users into opening weaponized documents that download the malware.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-18.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-18.jpg\",\"width\":612,\"height\":424,\"caption\":\"Virus Detected Alert. Digital illustration\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Campaign Briefs\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Spoofed Shipping Company Emails Deliver LokiBot Infostealer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Spoofed Shipping Company Emails Deliver LokiBot Infostealer","description":"Spoofed Shipping Company Emails Deliver LokiBot Infostealer. On 9 June, Infoblox discovered a malspam campaign that impersonated a shipping logistics business and distributed the LokiBot infostealer. Over time, many LokiBot campaigns have used shipping-themed messages to lure users into opening weaponized documents that download the malware.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/","og_locale":"en_US","og_type":"article","og_title":"Spoofed Shipping Company Emails Deliver LokiBot Infostealer","og_description":"Spoofed Shipping Company Emails Deliver LokiBot Infostealer. On 9 June, Infoblox discovered a malspam campaign that impersonated a shipping logistics business and distributed the LokiBot infostealer. Over time, many LokiBot campaigns have used shipping-themed messages to lure users into opening weaponized documents that download the malware.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/","og_site_name":"Infoblox Blog","article_published_time":"2021-06-15T18:39:35+00:00","article_modified_time":"2024-04-26T20:20:38+00:00","og_image":[{"width":612,"height":424,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-18.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Spoofed Shipping Company Emails Deliver LokiBot Infostealer","datePublished":"2021-06-15T18:39:35+00:00","dateModified":"2024-04-26T20:20:38+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/"},"wordCount":419,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-18.jpg","keywords":["infostealer","lokibot","Malspam"],"articleSection":["Cyber Campaign Briefs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/","name":"Spoofed Shipping Company Emails Deliver LokiBot Infostealer","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-18.jpg","datePublished":"2021-06-15T18:39:35+00:00","dateModified":"2024-04-26T20:20:38+00:00","description":"Spoofed Shipping Company Emails Deliver LokiBot Infostealer. On 9 June, Infoblox discovered a malspam campaign that impersonated a shipping logistics business and distributed the LokiBot infostealer. Over time, many LokiBot campaigns have used shipping-themed messages to lure users into opening weaponized documents that download the malware.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-18.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-18.jpg","width":612,"height":424,"caption":"Virus Detected Alert. Digital illustration"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-shipping-company-emails-deliver-lokibot-infostealer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Campaign Briefs","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-campaign-briefs\/"},{"@type":"ListItem","position":4,"name":"Spoofed Shipping Company Emails Deliver LokiBot Infostealer"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6411"}],"version-history":[{"count":6,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6411\/revisions"}],"predecessor-version":[{"id":6543,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6411\/revisions\/6543"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6715"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}