Loki is a Node.js-based command and control (C2) framework designed for red team operations, specifically targeting vulnerable Electron applications. It enables script-jacking to backdoor or hollow out signed Electron apps without invalidating their code-signing signatures, offering an evasion technique against security software and application controls.

How It Works

Loki leverages script-jacking by modifying JavaScript files within Electron applications at runtime to inject arbitrary Node.js code. This approach allows for persistent backdooring and execution within the context of a trusted, signed application. The framework operates without a traditional teamserver, with both the GUI client and agents communicating directly with a data store, such as Azure Storage Blob, protected by SAS tokens.

Quick Start & Requirements

• Installation: Clone the repository, install Node.js, and run npm install --save-dev javascript-obfuscator.
• Prerequisites: Node.js, Azure Storage Blob account and SAS token.
• Setup: Requires creating an Azure Storage Blob account and generating a SAS token. The obfuscateAgent.js script is used to create the payload.
• Resources: Blog Post, Video by John Hammond, Video by Simon Exley & Clinton Elves

Highlighted Details

• Utilizes Azure Storage Blob as a C2 channel with AES encrypted messages and proxy-aware agents.
• Supports teamserver-less architecture and hidden execution via Chromium renderer child processes.
• Commands are written in native Node.js, with exceptions for scexec and assembly requiring keytar.node and assembly.node.
• Includes a method to keep the original Electron application running alongside the Loki agent, demonstrated with Cursor.

Maintenance & Community

• Maintainers: Bobby Cooke (Creator), Dylan Tran (Creator).
• Contributors: Ellis Springe, Shawn Jones, Simon Exley, Clinton Elves, John Hammond.
• Community: Links to Discord/Slack are not explicitly provided in the README.

Licensing & Compatibility

• License: Business Source License 1.1 (BSL 1.1). Non-commercial use is permitted. Commercial use requires explicit author permission. Converts to Apache 2.0 on April 3, 2030.
• Compatibility: Designed for red team operations; commercial use is restricted without permission.

Limitations & Caveats

The effectiveness of backdooring relies on identifying vulnerable Electron applications, as newer versions may implement integrity checks. The README notes that older versions are more likely to be vulnerable. Some applications like 1Password, Signal, Slack, and Notion are listed as not vulnerable.