This blog provides a detailed overview of how complex the infection chain is for Lokibot and which tricks the adversaries are using to bypass common security features and tools of modern operating systems. The attack starts with a malicious XLS attachment, sent in a phishing email, containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage fetches the encrypted third-stage, which includes three layered encrypted Lokibots. After a privilege escalation, the third stage deploys LokibOT on the victim machine.”]
Source: https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html