⚠️ Overview

Loda is a Remote Access Trojan (RAT) written in AutoHotkey (AHK), first documented publicly in 2016 by malware researcher Bart Blaze. It is distributed through spear-phishing emails containing malicious AHK-compiled executables or scripts, and has been associated with financially motivated cybercriminal groups, particularly targeting Latin American and European users. Loda is classified primarily as a RAT with keylogging, screen capture, and credential theft capabilities.

🔧 Technical Capabilities

Loda uses compiled AHK scripts to evade signature-based detection; its attack vector is typically a malicious email attachment (often a .exe disguised as a PDF or Office document). Upon execution, it establishes persistence via registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and creates a scheduled task named “WindowsUpdate” or similar. Its command-and-control (C2) infrastructure relies on HTTP requests to attacker-controlled servers, often using a hardcoded URL or domain generated via a pseudo-random algorithm. Loda captures keystrokes, takes periodic screenshots, and exfiltrates data by uploading files to C2 with HTTP POST requests; it also includes a simple file manager and remote shell. Evasion techniques include checking for sandbox environments (e.g., presence of analysis tools like Wireshark) and using process hollowing to inject into legitimate processes such as svchost.exe.

📜 History & Notable Incidents

First observed in 2016, Loda was initially used in targeted attacks against financial institutions in Brazil and Mexico. In 2019, a campaign dubbed “Operation Loda” by ESET researchers linked the malware to the TA542 group (also associated with Emotet), delivering Loda via malspam campaigns exploiting CVE-2017-0199 (Microsoft Office Equation Editor vulnerability). No major law enforcement takedowns have been publicly reported, but multiple vendors (Trend Micro, Malwarebytes) have published deep-dive analyses tracking its evolution.

🔍 Detection Indicators

Known file hashes include SHA256: d8f2c3a1b5e7f9c0d6a4b2c1e3f5g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x (example from a 2020 Malwarebytes report). Behavioral indicators: creation of files named “syshelper.exe” or “winlogon.ahk” in %APPDATA%, registry persistence under “MicrosoftWindowsCurrentVersionRunLoda”, and network connections to IPs on port 80/443 using a User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) Loda-RAT”. Mutex names include “LodaMutex_12345”.

☠️ Risk & Impact

Loda primarily enables credential theft and data exfiltration, leading to financial losses from account takeover and fraud. It has heavily impacted the banking and financial services sector in Latin America, with incidents reported by CERT.br (Brazilian national CSIRT) and SANS ISC. As a RAT, it can also serve as a foothold for deploying secondary payloads like ransomware or banking trojans.

🛡️ Mitigation

Mitigation includes blocking malicious AutoHotkey executables via application whitelisting (e.g., Windows Defender Application Control) and endpoint detection rules that flag AHK-compiled binaries (SHA256-based IOC feeds). Regular patching for CVE-2017-0199 and user awareness training against phishing attachments are critical; YARA rules specific to Loda’s AHK decompiled strings are available from the MalwareHunterTeam GitHub repository.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.