📖 Overview
A domain-based indicator has been identified linked to LokiBot credential-stealing malware and ViriBack C2 operations. The site presents a simple login portal with CAPTCHA validation, suggesting its use as a botnet control panel. Confidence is assessed at 50%, indicating a possible but not yet fully confirmed association.
📌 Key Details
| Field | Information |
|---|---|
| Type | Domain |
| Indicator | electrico[.]co[.]zw |
| Threat Type | Botnet C2 |
| Malware | win.lokipws |
| Confidence | 50% |
| Date | 04 Sep 2025 – 18:36:02 UTC |
| Tags | LokiBot, ViriBack |
| Reporter | abuse_ch |
🔎 URLScan Result
Page Title: Auth
Screenshot: https://urlscan.io/screenshots/01991601-311c-70d8-8967-9174e52d9e98.png
Result: https://urlscan.io/result/01991601-311c-70d8-8967-9174e52d9e98/
📡 Related Intelligence
WHOIS Record: https://who.is/whois/electrico.co.zw
VirusTotal Report: https://www.virustotal.com/gui/domain/electrico.co.zw
Reference: https://tracker.viriback.com/index.php?q=electrico.co.zw
🛡️ Defensive Guidance
- Block
electrico[.]co[.]zwat DNS, proxy, and endpoint layers. - Monitor for LokiBot credential harvesting activity.
- Hunt for ViriBack artifacts across infected endpoints.
- Review proxy/firewall logs for traffic to the suspected C2 panel.
⚠️ Confidence is moderate (50%), meaning this IOC should be treated with caution until corroborated by additional telemetry.
