Loki 2.1 Malware: Inside a Stealth Loader Chain Leveraging PowerShell, Go, and C++

Status: Active exploitation with new C++ dropper (November 2025)

Delivery: Windows shortcut (LNK) files in ZIP archives

Infection Chain:
PowerShell → Go-based dropper → C++ dropper → Loki 2.1 implant

Capabilities:

File upload/download
Code injection
Process termination
Environment variable retrieval
Self-termination

Executive Overview

Loki 2.1 is an evolution of an established malware framework that now employs a multi-language, multi-stage dropper architecture designed to evade modern endpoint defenses. The most notable change in the current campaign is the introduction of a native C++ dropper, which significantly improves stealth, injection reliability, and resistance to behavioral detection.

This is not vulnerability exploitation in the classical sense. Instead, the campaign abuses:

User execution trust
Native Windows tooling
Staggered malicious behavior

The malicious payload is deliberately delayed until several execution transitions have occurred, reducing early detection and forensic visibility.

Initial Access & Delivery

ZIP Archives Containing LNK Files

The initial payload arrives as a ZIP archive, commonly themed as:

Invoices
Shipping confirmations
Legal or HR documentation

Inside the ZIP:

A single Windows Shortcut (.LNK) file
Sometimes a decoy document to increase credibility

The LNK file is the primary attack vector.

How the LNK-Based Exploitation Works

This campaign relies on execution flow abuse, not a software flaw.

User double-clicks the LNK
LNK launches cmd.exe or powershell.exe
PowerShell runs in hidden mode with:
- ExecutionPolicy bypass
- Encoded or obfuscated commands
No security prompt is shown to the user

Windows treats the shortcut as benign, and PowerShell is a trusted system component, allowing the chain to begin silently.

Stage 1 – PowerShell Stager

The PowerShell stage acts as a lightweight loader and traffic director.

Responsibilities

Deobfuscate embedded payloads
Perform basic environment checks
Retrieve or reconstruct the Go-based dropper
Launch execution without writing obvious artifacts

Observed Techniques

Base64-encoded command blocks
AMSI bypass attempts
Use of native Windows utilities (LOLBins)
Minimal disk footprint

This stage is intentionally brief and disposable.

Stage 2 – Go-Based Dropper

The Go-based dropper serves as a transitional layer between scripting and native execution.

Purpose

Break behavioral correlation between PowerShell and the final implant
Introduce a compiled binary with a different detection profile

Behavior

Decrypts or loads the C++ dropper
Performs lightweight sandbox checks:
- Timing delays
- Basic artifact detection
May write the next stage to disk or execute it in-memory

Go binaries are large, noisy from a static analysis perspective, and often treated generically by security tools, making them ideal for this role.

Stage 3 – C++ Dropper (New in Loki 2.1)

The introduction of a C++ dropper is the most significant technical upgrade in this campaign.

Why C++

Direct Windows API access
Lower-level process manipulation
Stronger EDR evasion
More reliable injection methods

Observed Capabilities

API hashing to avoid static signatures
Manual PE mapping
Process hollowing
Injection into trusted processes such as:
- explorer.exe
- svchost.exe

This stage is responsible for safely deploying the final Loki 2.1 implant while minimizing visible indicators.

Stage 4 – Loki 2.1 Implant

The final payload is a fully functional post-exploitation implant.

Core Capabilities

File upload/download
Enables exfiltration and secondary tooling
Code injection
Allows execution inside trusted processes
Process termination
Used to disable security tooling or competing malware
Environment variable retrieval
Supports host profiling and conditional execution
Self-termination
Reduces forensic artifacts and frustrates sandbox analysis

Operational Traits

Encrypted command-and-control
Modular command handling
Controlled beacon timing to reduce network noise

MITRE ATT&CK Mapping

Tactic	Technique	ID
Initial Access	User Execution	T1204
Execution	PowerShell	T1059.001
Defense Evasion	Obfuscated Files or Information	T1027
Defense Evasion	Signed Binary Proxy Execution	T1218
Execution	Native API	T1106
Privilege Escalation	Process Injection	T1055
Defense Evasion	Process Hollowing	T1055.012
Discovery	Query Environment Variables	T1082
Command and Control	Encrypted Channel	T1573
Impact	Process Termination	T1489
Defense Evasion	Self-Deletion	T1070.004

Detection Engineering Ideas

Sigma – LNK Launching PowerShell

title: LNK Triggering PowerShell Execution
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '.lnk'
    Image|endswith: 'powershell.exe'
  condition: selection
level: high

Sigma – PowerShell Spawning Unsigned Loader

title: PowerShell Launching Unsigned Binary
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: 'powershell.exe'
    Image|contains:
      - 'AppData'
      - 'Temp'
  condition: selection
level: high

YARA – Loki 2.1 Loader Characteristics

rule Loki21_Loader_Generic
{
    strings:
        $a1 = "VirtualAlloc"
        $a2 = "WriteProcessMemory"
        $a3 = "CreateRemoteThread"
        $e1 = "PROCESSOR_ARCHITECTURE"
    condition:
        2 of ($a*) and $e1
}

Indicators of Compromise (Observed)

File System

%APPDATA%\[random].exe
%TEMP%\[random].bin
Short-lived executables deleted after execution

Process Indicators

PowerShell spawning unsigned binaries
Legitimate Windows processes running from user directories
Unexpected termination of EDR or AV processes

Network Indicators

Encrypted outbound traffic from non-browser processes
Irregular beacon intervals
IP-based C2 with limited reuse

Patching & Mitigation Reality

No Official Patch Exists

This campaign:

Does not exploit a CVE
Does not abuse a Windows bug
Does not have a Microsoft security bulletin

There is no official patch link because nothing is technically broken.

Effective Mitigations

Technical Controls

Restrict or monitor LNK execution from:
- Downloads
- Email attachment paths
Enable:
- PowerShell Script Block Logging
- AMSI
Alert on:
- Process injection
- Hollowing
- Unsigned binaries in user-writable directories

Policy & Awareness

Treat ZIP files containing shortcuts as suspicious
Educate users that legitimate documents do not arrive as .lnk

Final Takeway

Loki 2.1 is a quiet, deliberate, and well-maintained malware platform.
The addition of a C++ dropper indicates:

Increased operator sophistication
Long-term access objectives
Adaptation to modern EDR environments

This is not opportunistic malware.
It is designed to stay unnoticed, persist selectively, and give operators control.