Loki

Packaging Agent Files into ASAR Archive

By default, running obfuscateAgent.js produces multiple JavaScript files. We can bundle this into an ASAR archive with the ASAR node extension.

kali@JesusCries: ~/Desktop/Loki/app                                                                                                                                                                                                                       
» tree   
.
├── agent.js
├── assembly.html
├── assembly.js
├── assembly.node
├── browser.html
├── browser.js
├── common.js
├── config.js
├── crypt.js
├── handler.js
├── keytar.node
├── main.js
└── package.json

1 directory, 13 files

1. Install the ASAR extension with: $ npm install --engine-strict @electron/asar

2. Obfuscate agent files & bundle the contents into an ASAR archive:

   
3. Replace app.asar in the application's installation directory:

   
4. Agent callback!

   

Impersonating Metadata of Target Electron Application

According to Loki's documentation, all Electron apps will create a directory in ~/AppData/Roaming with whatever name we put in the pckages.json file:

For better opsec, we can unpack the original ASAR archive to retrieve the application's metadata and attempt to replicate it:

Finally, copy over the metadata so it fits into the application's description.

Using Loki as a Stage0 C2

As of September 2025, Loki C2 is still considered a very reliable Stage0 C2 due to its polymorphic mutation that outputs a different PE file hash every time you run the obfuscation script.

My favourite way of setting up an Assumed Breach scenario is to use Loki as a Stage 0 C2 that delivers a Stage 1 C2 payload as shellcode via its scexec module, then switch completely to the more mature Stage 1 C2, for reasons such as a lack of SOCKS proxy support in Loki. This eliminates the need to write a dropper from scratch to deliver the Stage 1 payload.