LokiBot - What it is, warning signs, and how to remove it safely

LokiBot (Loki Password Stealer)

LokiBot (Loki Password Stealer)

What it is

LokiBot is a credential-stealing trojan that targets Windows and Android. It grabs passwords, cookies, and wallet data, can take screenshots, and sometimes opens a backdoor for more malware. Technical details and IOCs are in our LokiBot overview for defenders.

How it spreads – quick tour

  • Phishing emails with booby-trapped attachments

  • Fake updates, cracks, and repacked installers

  • Malicious links and sideloaded APKs on Android

What you may notice

  • Sudden re-logins or missing 2FA codes

  • Unknown browser extensions or redirects

  • New startup tasks or services you didn’t create

  • Data and battery spikes on Android, odd accessibility prompts

Remove it now

  1. Disconnect from the internet to stop data exfiltration.

  2. Run a full anti-malware scan, reboot, then scan again.

  3. From a clean device, change passwords and turn on MFA.

  4. Check startup items, tasks, services, and extensions; remove unknowns.

  5. On Android: uninstall suspicious apps, review Accessibility/Device admin settings, then rescan.

Prevent it

  • Install software only from official sources; avoid cracks and third-party app stores.

  • Keep Windows, Android, browsers, and Office updated; block macros by default.

  • Use reputable EDR/anti-malware and DNS/web filtering.

  • Enable MFA everywhere so stolen passwords are less useful.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • PSW.Stealer (Trojan-PWS)

        What it is A password-stealing trojan for Windows that harvests credentials and other sensitive data, then exfiltrates it to the attacker. See our overview for defenders for details. Why it matters Once stolen, credentials enable account takeovers, ...

      • Godfather Android Malware

        What it is Godfather is an Android banking trojan that overlays fake login screens on top of real banking and crypto apps to steal credentials, SMS codes, and seed phrases. It can also read notifications and intercept 2FA to drain accounts. Technical ...

      • Atomic Stealer

        What it is Atomic Stealer is macOS malware built to lift your secrets—especially crypto wallets, passwords, and browser data—then send them to attackers. It often looks harmless while it works. See behaviors and examples in the Atomic Stealer threat ...

      • Password Sniffer

        What it is A password sniffer is malware or a rogue tool that captures login credentials as they travel over a network. On unsafe Wi-Fi or misconfigured systems, it can read usernames, passwords, cookies, and session tokens to hijack accounts without ...

      • Shadow Password Files

        What it is Shadow password files are special system files on Unix/Linux that store the password hashes (not the actual passwords) for user accounts. Public info about users lives in /etc/passwd, while the sensitive, hashed passwords are kept in ...