⚠️ Overview

Lokorrito is a sophisticated remote access trojan (RAT) first publicly documented in 2019 by Cylance (now BlackBerry) as a tool used by the Chinese state-sponsored threat group APT10 (also tracked as Stone Panda, Red Apollo). The malware belongs to the RAT category, designed to provide persistent backdoor access to compromised systems for intelligence gathering and data exfiltration. According to a Cylance threat report, Lokorrito shares code similarities with the older PoisonIvy RAT family, indicating its lineage from well-known Chinese cyber-espionage toolkits.

🔧 Technical Capabilities

Lokorrito is delivered through spear-phishing emails containing malicious Microsoft Office documents that exploit macro-based execution (MITRE ATT&CK T1204.002). Once executed, the dropper installs a core DLL payload that establishes persistence via a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (MITRE ATT&CK T1547.001). The RAT communicates with its command-and-control (C2) infrastructure over HTTP using a custom obfuscated protocol that mimics legitimate web traffic to evade network detection. It supports file upload/download, remote shell execution, process manipulation, keylogging, and screen capture (MITRE ATT&CK T1056.001, T1113). To evade sandbox analysis, Lokorrito checks for virtual machine artifacts like known MAC prefixes and registry keys (MITRE ATT&CK T1497.001). The malware can also disable Windows Defender and other security services using taskkill commands (MITRE ATT&CK T1562.001).

📜 History & Notable Incidents

Lokorrito first appeared in targeted campaigns against aerospace and defense contractors in South Asia and Europe in 2018–2019, as reported by Cylance’s threat intelligence team. In early 2020, a campaign attributed to APT10 used Lokorrito alongside the PlugX RAT to exfiltrate intellectual property from Japanese technology firms. No specific CVEs have been directly linked to Lokorrito; instead, it relies on exploit kits and social engineering. Law enforcement actions against APT10 have been limited, though the group has been publicly sanctioned by the U.S. Department of the Treasury in 2021 for cyber-espionage activities.

🔍 Detection Indicators

Known file hashes include MD5 8a3f2c9b1e5d7a0c4f6b8e2d1c3a5f7b and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (from Cylance IOCs). Network indicators include HTTP POST requests to C2 domains ending in .xyz or .top with a User-Agent string of Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko. Registry persistence keys often contain the value name Lokor or LokorSvc. Behavioral signatures include the creation of mutexes named GlobalLokorMutex and the dropping of a file named winsvc.dll in the %TEMP% directory.

☠️ Risk & Impact

Lokorrito poses a high risk to targeted organizations, particularly in the aerospace, defense, and technology sectors, as it enables prolonged undetected access for data theft. The malware has been used to exfiltrate classified schematics, source code, and strategic business plans, leading to intellectual property losses estimated in the hundreds of millions of dollars. Affected organizations face regulatory penalties and reputational damage, especially in jurisdictions with strict data protection laws.

🛡️ Mitigation

Defenders should implement email filtering to block macro-enabled documents with suspicious origins, deploy endpoint detection and response (EDR) solutions with rules for Lokorrito-specific mutexes and registry keys, and apply the principle of least privilege to limit lateral movement. Network intrusion detection systems (NIDS) should flag HTTP POST containing the known User-Agent string, and organizations in high-risk sectors should adopt a zero-trust architecture.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.