Lobshot

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded into fake Windows 11 upgrade installers. The malware is known to be distributed through malvertising techniques, with threat groups leveraging these strategies to disguise legitimate software with backdoors such as Lobshot. The campaigns involving Lobshot have shown a high level of sophistication, suggesting the possible involvement of a single actor or group across multiple operations. For instance, Lobshot, along with DarkGate, Ducktail, and Redline Stealer, was deployed by a Vietnam-based cybercrime group targeting English-language Facebook business accounts in a campaign aimed at digital marketing firms in the U.S., UK, and India. This group used these malware types in conjunction with Malware as a Service (MaaS) toolkits to infect victims with Remote Access Trojans (RATs) and additional info-stealing malware. In addition to its use in broad campaigns, Lobshot's stealth and remote access capabilities make it a significant threat to individual users and businesses alike. Its association with other malware types such as Ducktail, which is used to steal Facebook business accounts, and Redline, which collects information about infected devices, underscores the multifaceted nature of the threats posed by these coordinated cybercrime efforts. As such, heightened vigilance and robust cybersecurity measures are necessary to mitigate the risks associated with Lobshot and similar malware.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Windows

Trojan

Infostealer

Malvertising

Cybercrime

Maas

Facebook

Backdoor

Chrome

Ransomware

Fraud

Github

Google

Loader

Encryption

Firefox

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Darkgate	Unspecified	3	DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos
Redline Stealer	Unspecified	3	RedLine Stealer is a type of malware that has been causing significant disruption in the digital landscape. This malicious software infiltrates computer systems, often without the user's knowledge, via suspicious downloads, emails, or websites, and then proceeds to steal personal information, disrup
Redline	Unspecified	2	RedLine is a malware designed to exploit and damage computer systems by stealing personal information, disrupting operations, or even holding data hostage for ransom. It has been identified as a favorite infostealer among threat actors selling logs through the marketplace 2easy, which also sells Rac
Ducktail	Unspecified	2	"Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates sys
Clop	Unspecified	1	Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
Dridex	Unspecified	1	Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
Get2	Unspecified	1	Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the mos

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
TA505	Unspecified	3	TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Graceful Spider	Unspecified	1	Graceful Spider, also known as TA505, is a threat actor recognized for its malicious cyber activities. This entity has been identified by the cybersecurity industry as the driving force behind various targeted campaigns with harmful intent. The group could be a single individual, a private organizat

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Lobshot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	9 months ago	Vietnamese hackers attack UK, US and India with DarkGate malware
DARKReading	9 months ago	Ducktail Infostealer, DarkGate RAT Linked to Same Threat Actors
BankInfoSecurity	9 months ago	Vietnamese Hackers Hit Digital Marketers With Info Stealers
CERT-EU	9 months ago	Hackers target US Facebook biz accounts with potent malware cocktail
CERT-EU	9 months ago	Vietnamese Hackers Hit Digital Marketers With Info Stealers
BankInfoSecurity	9 months ago	Vietnamese Hackers Hit Digital Marketers With Infostealers
CERT-EU	9 months ago	DarkGate attacks linked to Vietnam-based cyber criminals – Global Security Mag Online
CERT-EU	9 months ago	Researchers uncover DarkGate malware's Vietnamese connection - Help Net Security
InfoSecurity-magazine	9 months ago	DarkGate Malware Campaigns Linked to Vietnam-Based Cybercriminals
CERT-EU	a year ago	Stealthy ‘LabRat’ Campaign Abuses TryCloudflare to Hide Infrastructure
CERT-EU	a year ago	New hVNC macOS Malware Advertised on Hacker Forum
CERT-EU	a year ago	New LOBSHOT Malware Deployed Via Google Ads
Securityaffairs	a year ago	New Lobshot hVNC malware spreads via Google ads
CERT-EU	a year ago	New Lobshot hVNC malware spreads via Google ads \| IT Security News
CERT-EU	a year ago	Russian cybercriminals spread new Lobshot banking trojan via Google ads
DARKReading	a year ago	Google Ads Abused to Lure Corporate Workers to LOBSHOT Backdoor
CERT-EU	a year ago	LOBSHOT: a Covert, Info-Stealing Malware on the Loose
CERT-EU	a year ago	New Malware Granting Threat Actors Hidden VNC Access
CERT-EU	a year ago	Fleckpe malware infects 620,000 Android handsets via Google Play