Loki
Packaging Agent Files into ASAR Archive
By default, running obfuscateAgent.js produces multiple JavaScript files. We can bundle this into an ASAR archive with the ASAR node extension.
kali@JesusCries: ~/Desktop/Loki/app
Β» tree
.
βββ agent.js
βββ assembly.html
βββ assembly.js
βββ assembly.node
βββ browser.html
βββ browser.js
βββ common.js
βββ config.js
βββ crypt.js
βββ handler.js
βββ keytar.node
βββ main.js
βββ package.json
1 directory, 13 filesInstall the ASAR extension with:
$ npm install --engine-strict @electron/asarObfuscate agent files & bundle the contents into an ASAR archive:
Replace
app.asarin the application's installation directory:
Agent callback!
Impersonating Metadata of Target Electron Application
According to Loki's documentation, all Electron apps will create a directory in ~/AppData/Roaming with whatever name we put in the pckages.json file:
For better opsec, we can unpack the original ASAR archive to retrieve the application's metadata and attempt to replicate it:
Finally, copy over the metadata so it fits into the application's description.
Using Loki as a Stage0 C2
As of September 2025, Loki C2 is still considered a very reliable Stage0 C2 due to its polymorphic mutation that outputs a different PE file hash every time you run the obfuscation script.
My favourite way of setting up an Assumed Breach scenario is to use Loki as a Stage 0 C2 that delivers a Stage 1 C2 payload as shellcode via its scexec module, then switch completely to the more mature Stage 1 C2, for reasons such as a lack of SOCKS proxy support in Loki. This eliminates the need to write a dropper from scratch to deliver the Stage 1 payload.
Last updated