An expert found evidence that LokiBot malware samples were hijacked by a third actor. LokiBot is an infostealer that was involved in many malspam campaigns aimed at harvest credentials from web browsers, email clients, admin tools and that was also used to target cryptocoin-wallet owners. An expert reversed many pieces of malware and found five references to the C&C server, four of them are encrypted using Triple DES algorithm and one using a simple XOR cipher.”]
Source: https://securityaffairs.co/wordpress/74275/cyber-crime/lokibot-malware-hijacked.html