Skip to content Dark Web Informer - Cyber Threat Intelligence
IOC

IOC Alert: LokiBot/ViriBack Command-and-Control Infrastructure

📖 Overview
A domain-based indicator has been identified linked to LokiBot credential-stealing malware and ViriBack C2 operations. The site presents a simple login portal with CAPTCHA validation, suggesting its use as a botnet control panel. Confidence is assessed at 50%, indicating a possible but not yet fully confirmed association.


📌 Key Details

FieldInformation
TypeDomain
Indicatorelectrico[.]co[.]zw
Threat TypeBotnet C2
Malwarewin.lokipws
Confidence50%
Date04 Sep 2025 – 18:36:02 UTC
TagsLokiBot, ViriBack
Reporterabuse_ch

🔎 URLScan Result
Page Title: Auth
Screenshot: https://urlscan.io/screenshots/01991601-311c-70d8-8967-9174e52d9e98.png
Result: https://urlscan.io/result/01991601-311c-70d8-8967-9174e52d9e98/


📡 Related Intelligence
WHOIS Record: https://who.is/whois/electrico.co.zw
VirusTotal Report: https://www.virustotal.com/gui/domain/electrico.co.zw
Reference: https://tracker.viriback.com/index.php?q=electrico.co.zw


🛡️ Defensive Guidance

  • Block electrico[.]co[.]zw at DNS, proxy, and endpoint layers.
  • Monitor for LokiBot credential harvesting activity.
  • Hunt for ViriBack artifacts across infected endpoints.
  • Review proxy/firewall logs for traffic to the suspected C2 panel.

⚠️ Confidence is moderate (50%), meaning this IOC should be treated with caution until corroborated by additional telemetry.

Latest