Loki
Packaging Agent Files into ASAR Archive
By default, running obfuscateAgent.js produces multiple JavaScript files. We can bundle this into an ASAR archive with the ASAR node extension.
kali@JesusCries: ~/Desktop/Loki/app
» tree
.
├── agent.js
├── assembly.html
├── assembly.js
├── assembly.node
├── browser.html
├── browser.js
├── common.js
├── config.js
├── crypt.js
├── handler.js
├── keytar.node
├── main.js
└── package.json
1 directory, 13 filesInstall the ASAR extension with:
$ npm install --engine-strict @electron/asarObfuscate agent files & bundle the contents into an ASAR archive:
Replace
app.asarin the application's installation directory:
Agent callback!
Impersonating Metadata of Target Electron Application
According to Loki's documentation, all Electron apps will create a directory in ~/AppData/Roaming with whatever name we put in the pckages.json file:
For better opsec, we can unpack the original ASAR archive to retrieve the application's metadata and attempt to replicate it:
Finally, copy over the metadata so it fits into the application's description.
Using Loki as a Stage0 C2
As of September 2025, Loki C2 is still considered a very reliable Stage0 C2 due to its polymorphic mutation that outputs a different PE file hash every time you run the obfuscation script.
My favourite way of setting up an Assumed Breach scenario is to use Loki as a Stage 0 C2 that delivers a Stage 1 C2 payload as shellcode via its scexec module, then switch completely to the more mature Stage 1 C2, for reasons such as a lack of SOCKS proxy support in Loki. This eliminates the need to write a dropper from scratch to deliver the Stage 1 payload.
Last updated