Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Loda

117
Global rank
155 infographic chevron month
Month rank
135 infographic chevron week
Week rank
0
IOCs

Loda is a remote access trojan (RAT) that has been in active use among multiple threat actors since 2016. The malware’s functionality includes stealing passwords and other sensitive information, keylogging, capturing screenshots, and delivering other malicious payloads. Loda is typically distributed as part of phishing email campaigns.

RAT
Type
Morocco
Origin
Unknown
First seen
17 September, 2025
Last seen

How to analyze Loda with ANY.RUN

RAT
Type
Morocco
Origin
Unknown
First seen
17 September, 2025
Last seen

IOCs

Hashes
c3b7125cfb532164ddfe038139fb7c09d4d31324084cd0ad4588e28650ac60ce
bb20faec1932755518b9825c27267ae8220074ab9b0b76cf123073a64922a00a
586a682892633fd451cf3caa26a00cf4caeb181c82cf33763e23cb94fa66b07f
17db15857a3eb5acdef04938871d8618d31e1af4fd06409de095370acc9e8fc9
40afa0dc9e423861a5667a1d5b449925815b546e6093730854c8d277a34e48fb
6e508880078fee7c7c3d5d77d43b624e90bd0d17adfc6c6a189384764a1d53bc
c9fe5c8ba44750d208fd7f8545792e1d96feb9ae4ff214a03cfe45b85e8fd994
f267d4626eb5f1534255113774dd31d750e6d980776e4d1816bcf6ec9d044f04
17c8f6b89098ea8861cbc496788e6c78cd357360a13d63dfa75484ad7734980a
b5a92e29aba517644a64a4bc5497ddead2454ea54c6debc4e1d6a3ab9cbd1293
341e96861c8d821c7db8c67caad43c3a016ac6e84660ebf57afc91c52e2fdb5d
65df98d287c5886f7984a0bd3902c60961fde272ba82dfab62f758f4e5a1f455
92459b72ac239c5cd9c5808921230b305d843bbee9b3eb071173931914546909
cc17a2ff14ae0f1457abbb990c2612a5503c96ddfa5916bb2a1a8dad2e16238c
81bb980496ef168f662de2a7034f7cae93b405d0a35cc0a4f4f532e735f263ee
47a71ef27e7c5fb041a00c9a621640f5a6498d8380cad173780b94e4a0bc424e
7f0c944f784c576d78429c2b60af59b438eedf1e4ef2a6bc68c2fbf14569bcb2
10813f553cca479f525d6f106d825a13e242f5c9b51bf9b02e9af3a150cdef81
5bb704b0cfd7020fc66e81b042ee39f6908fc64a5ba56dab2679f52672bf31d3
2bccf58e9527020c401ebefee6ae443e07ef3d8cb707ac3d14d4654a11f073a2
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is Loda RAT malware?

Loda is a remote access trojan that first appeared in 2016. It is written in AutoIT, a language designed for automating scripting on Windows systems, that is easy to learn and use. It is believed that the original creators behind Loda are the Kasablanka group, an advanced persistent threat (APT) from Morocco, which regularly published updated versions of the malware.

At the same time, the malware is also used by other threat actors, including YoroTrooper which has employed a variant of Loda malware to carry out assaults on various organizations around the world, with the most recent attacks occurring as early as 2023. TA558 is another APT that has implemented Loda in its malicious activities, primarily targeting hospitality businesses in Europe and North America.

Technical details of the Loda RAT malicious software

To make it difficult for security researchers to analyze its code, Loda RAT uses string obfuscation on most variables. At run time, Loda RAT deobfuscates the strings and initializes the variables accordingly. Another technique used by Loda RAT is function name randomization, involving randomly assigning names to functions in the code.

In order to evade detection, Loda replicates itself within the temporary files folder of the targeted computer and then executes the copy. Additionally, Loda RAT generates a scheduled task, which is configured to initiate itself automatically during system boot-up. After running, the malware reports key information about the system to its C&C server, including the IP address, OS version, and architecture.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

In terms of functionality, Loda possesses the standard set of RAT capabilities, which allow attackers to:

  • Access the infected computer via Remote Desktop Protocol (RDP).
  • Steal files and data.
  • Upload other malicious software onto the system and run it.
  • Record users’ keystrokes and mouse clicks.
  • Listen to the microphone.
  • Take webcam photos and screenshots
  • Communicate with the victim via a chat window.
  • Query WMI to obtain a list of all the antivirus solutions that are installed on the host system.

There is also an Android version of Loda RAT. It functions as a tracking application that can capture victims’ whereabouts and record any audio-based communication originating from the user. Additionally, it possesses the ability to monitor SMS messages and even make calls without users’ knowledge.

Execution process of Loda RAT

A sample of Loda RAT executed in the ANY.RUN interactive sandbox exposes the malware’s malicious activities and IOCs.

It follows a straightforward execution process. Loda first drops executables into the %appdata%, Startup, and Temp directories, then creates a service via schtasks to gain persistence, executes a Visual Basic script, and finally connects to the C&C server.

Loda RAT process tree

Loda RAT process tree

Distribution methods of the Loda RAT malware

Phishing email campaigns are the most common attack vector used by threat actors to infect victims’ systems with Loda. Typically, such emails contain attachments of different formats, including PDFs, executables, and Microsoft Office documents, embedded with malicious code. Some of the early instances of Loda RAT infections were carried out by exploiting the CVE-2017-11882 and CVE-2017-0199 vulnerabilities.

As mentioned above, Loda RAT is popular among various criminal groups. For instance, in 2019, TA558 utilized PowerPoint attachments injected with macros to distribute both Loda and Revenge RAT, while in 2022, the group switched to container formats (e.g., RAR) and expanded their payload selection to include AsyncRAT. Similarly, in 2022, the Kasablanka APT devised a multi-stage attack targeting government agencies, which employed .iso email attachments to spread Loda and WarZone RAT.

Conclusion

Loda remains a top cyber security threat, with no signs of slowing down. A large number of criminal actors take advantage of this malware’s configurable design and accessibility to conduct attacks against businesses and government organizations in different parts of the world. The best way to avoid compromising your system by accidentally downloading Loda is to steer clear of any unsolicited emails and take precautions before opening suspicious links and files. You can do it by analyzing them in an online sandbox like ANY.RUN. By uploading your sample to the platform, you quickly and safely gain the knowledge needed to prevent infection.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More
Keylogger screenshot
Keylogger
keylogger
A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.
Read More
Phobos screenshot
Phobos
phobos ransomware
Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.
Read More
Akira Ransomware screenshot
Akira Ransomware emerged in March 2023 and compromised over 250 organizations by January 2024 with approximately $42 million in ransom payments. It employs double extortion tactics exfiltrating data before encryption and threatening to publish it on a dedicated website.
Read More