BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details


Global rank
48 infographic chevron month
Month rank
39 infographic chevron week
Week rank

Lu0Bot is a Node.js malware that was first discovered in February 2021. It is a type of Trojan that primarily acts as a stealer by responding to commands from a command-and-control (C2) server and transmitting encrypted system data. It can also operate as a DDoS bot. Lu0Bot employs multiple obfuscation techniques to avoid detection and make analysis more difficult.

1 February, 2021
First seen
20 May, 2024
Last seen

How to analyze Lu0Bot with ANY.RUN

1 February, 2021
First seen
20 May, 2024
Last seen


IP addresses
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 48
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 657
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 564
comments 0

What is Lu0Bot malware?

Lu0Bot is a trojan that was first observed in 2021. Although less widely used than other trojan malware, such as Agent Tesla, it has the potential to inflict serious damage on infected systems.

A notable feature of Lu0Bot is its use of Node.js, an unusual programming language choice for malware. However, this unconventional approach provides Lu0Bot with versatility compared to most malicious programs that are usually developed using the .NET framework, which is limited to Windows systems.

Despite being a highly capable threat, Lu0Bot has a relatively low level of activity. Currently, its primary function is data harvesting, but it can also be used as a DDoS attack bot and may have other capabilities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Lu0Bot malicious software

Once Lu0Bot is fully deployed on the system, it can engage in:

  • Keystroke recording: It can perform keylogging and record the keys that are pressed by the user, for instance, when they enter their login credentials.
  • Identity theft: It can steal the victim’s personal information, including credit card numbers and other sensitive data.
  • System control: Using Lu0Bot, attackers can execute a wide variety of activities, as the malicious software is capable of establishing near-full control over the device.
  • DDoS attacks: The malware can exploit the compromised system and use it to participate in a distributed denial-of-service (DDoS) attack.

Lu0Bot is highly obfuscated, meaning that its code is deliberately made difficult to read and understand in order to prevent or obstruct analysis. It uses several encryption algorithms, including custom ones.

By comparing Lu0Bot samples from 2021 and 2023, it becomes clear that the software is being continuously updated by its developers.

Read a detailed analysis of a Lu0Bot sample in our blog.

Execution process of Lu0Bot

In order to see how Lu0Bot operates and collect up-to-date IOCs, let’s examine one of its samples in the ANY.RUN sandbox.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

The execution chain of this malware family is relatively straightforward. After the payload executes, it uses CMD to copy and initiate the main malware process. This process is responsible for carrying out all malicious activities, including data theft, C&C server communication, and, in this case, gathering process information using WMIC.EXE.

Lu0botprocess tree shown in ANY.RUN Lu0Bot's process tree demonstrated in ANY.RUN

Distribution methods of the Lu0Bot malware

In the early days, Lu0Bot was primarily dropped by GCleaner, a specialized software for deploying second-stage payloads. Yet, today, the main method of delivery for this malware is phishing emails. Essentially, attackers employ various social engineering techniques in order to get their victims to download malicious email attachments or open unsafe links and trigger the infection chain reaction on their systems.


Despite being a known threat, the true scale of Lu0Bot's operations remains unknown. This makes it a dangerous malware capable of dealing a significant blow to any infrastructure, if not addressed proactively. Therefore, organizations must implement proper security measures to prepare for Lu0Bot attacks.

One of the most effective ways to prevent a Lu0Bot attack is to check any incoming files and links, especially those sent by unknown senders, in the ANY.RUN sandbox. It is a malware sandbox that lets you quickly understand if the file or link your are dealing with is malicious or not.

ANY.RUN is fully interactive, enabling you to engage with the infected system like you would on your own computer but in a safe cloud environment to fully understand the behavior of the malware. It also provides comprehensive reports that include IOCs and malware configs.

Try ANY.RUN for free – request a demo!.


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy