Since our first blog post in February of 2020 on the remote access tool (RAT) known as LodaRAT (or Loda), Cisco Talos has monitored its activity and covered our findings in subsequent blog posts, listed below:
LodaRAT Update: Alive and Well
Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows
As a continuation of this series, this blog post details new variants and new behavior we have observed while monitoring LodaRAT over the course of 2022. In this post, we will take an in-depth look at some of the changes in these variants. As detailed below, some changes are rather small; However, some variants have made significant alterations, including both removal of code and implementing additional functionality.
In addition to these findings we have discovered that Loda appears to have garnered attention from various threat actors. In a handful of the instances we identified, Loda was deployed alongside-or dropped by-other malware. These include RedLine, Neshta and a previously undocumented VenomRAT variant named S500.
Changes in Loda and his varian
![[correlate]](/data/avatars/m/79/79653.jpg?1556985072){kind=avatar}
blog.talosintelligence.com
