Malware trend: Latrodectus

any.run · ANY.RUN · 1 year ago · news
quality 4/10 · average
0 net
Tags
malware latrodectus
Latrodectus Malware Analysis, Overview by ANY.RUN Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now Webinar February 26 Better SOC with Interactive Sandbox Practical Use Cases Register now Latrodectus latrodectus 126 Global rank 131 Month rank 149 Week rank 0 IOCs Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device. Loader Type : Unknown Origin : 1 August, 2023 First seen : 22 March, 2026 Last seen : Also known as Unidentified 111 BLACKWIDOW IceNova How to analyze Latrodectus with ANY.RUN Loader Type : Unknown Origin : 1 August, 2023 First seen : 22 March, 2026 Last seen : IOCs IP addresses 138.68.29.243 134.209.143.167 217.182.242.115 87.98.235.167 146.19.49.130 162.19.199.110 171.130.169.141 85.239.54.130 110.199.19.162 185.233.166.27 27.166.233.185 109.202.111.2 93.116.248.13 104.238.205.20 158.94.210.82 158.94.210.132 158.94.210.84 158.94.209.173 158.94.208.145 158.94.210.136 Domains rekx.live cqsf.live b.ekoz.live dlux.live atri.live m.bjeb.live thob.live fadoklismokley.com gasrobariokley.com jzluw.com naintn.com wlisd.com wewekikilopsterstakan.com afonoditrixdxcomplany.com oasioncounertstrike.com holiopkasdfoion.com coratuikilooklosd.com hpolokolasolakiprijions.com giakloirtyuilokasdf.com bastroiklodasertjuyer.com Last Seen at 22 March, 2026 Malicious activity 0cfa0bdd1f21ae4d71ab3b0978339be3bd578b9c0c6bf3eeeffed4a0ca3dd697.exe auto latrodectus backdoor blackwidow 22 March, 2026 Malicious activity 0cfa0bdd1f21ae4d71ab3b0978339be3bd578b9c0c6bf3eeeffed4a0ca3dd697.exe auto latrodectus backdoor blackwidow 22 March, 2026 Malicious activity 0cfa0bdd1f21ae4d71ab3b0978339be3bd578b9c0c6bf3eeeffed4a0ca3dd697.exe auto latrodectus backdoor blackwidow 27 January, 2026 Malicious activity sample.zip arch-exec latrodectus 26 December, 2025 Malicious activity b78dbc66a99cdec46ca38ee09f7804edf082987e8fd832c612479bf5d8a46df0.msi.bin auto latrodectus backdoor blackwidow adware advancedinstaller 21 December, 2025 Malicious activity _85f8ccf69bed672d92b40c45f9571378a7d00c80b86004a76018d9e120eeaa01.exe auto latrodectus blackwidow backdoor discord websocket evasion stdrat rat ip-check 21 December, 2025 Malicious activity _5d16e3b5930da291790c6ba70caf4a88067b1e11aecfd1f7ea3a88eb9e06dfb7.exe auto latrodectus blackwidow backdoor discord websocket evasion stdrat rat ip-check 21 December, 2025 Malicious activity _0a54750e93f9e716b3ce206933b0c8d0d4b2771696ae0104478fe009879b0ea8.exe auto latrodectus blackwidow backdoor discord evasion websocket stdrat rat ip-check 14 November, 2025 Malicious activity 1i0cPmAF.dll latrodectus 13 November, 2025 Malicious activity s1-sideload.zip arch-exec latrodectus TRACK THEM ALL AT Public Submissions Last Seen at 22 March, 2026 Malicious activity 0cfa0bdd1f21ae4d71ab3b0978339be3bd578b9c0c6bf3eeeffed4a0ca3dd697.exe auto latrodectus backdoor blackwidow 22 March, 2026 Malicious activity 0cfa0bdd1f21ae4d71ab3b0978339be3bd578b9c0c6bf3eeeffed4a0ca3dd697.exe auto latrodectus backdoor blackwidow 22 March, 2026 Malicious activity 0cfa0bdd1f21ae4d71ab3b0978339be3bd578b9c0c6bf3eeeffed4a0ca3dd697.exe auto latrodectus backdoor blackwidow 27 January, 2026 Malicious activity sample.zip arch-exec latrodectus 26 December, 2025 Malicious activity b78dbc66a99cdec46ca38ee09f7804edf082987e8fd832c612479bf5d8a46df0.msi.bin auto latrodectus backdoor blackwidow adware advancedinstaller 21 December, 2025 Malicious activity _85f8ccf69bed672d92b40c45f9571378a7d00c80b86004a76018d9e120eeaa01.exe auto latrodectus blackwidow backdoor discord websocket evasion stdrat rat ip-check 21 December, 2025 Malicious activity _5d16e3b5930da291790c6ba70caf4a88067b1e11aecfd1f7ea3a88eb9e06dfb7.exe auto latrodectus blackwidow backdoor discord websocket evasion stdrat rat ip-check 21 December, 2025 Malicious activity _0a54750e93f9e716b3ce206933b0c8d0d4b2771696ae0104478fe009879b0ea8.exe auto latrodectus blackwidow backdoor discord evasion websocket stdrat rat ip-check 14 November, 2025 Malicious activity 1i0cPmAF.dll latrodectus 13 November, 2025 Malicious activity s1-sideload.zip arch-exec latrodectus TRACK THEM ALL AT Public Submissions Recent blog posts Building Phishing Detection That Works: 3 Ste... 671 0 ClickFix Meets AI: A Multi-Platform Attack Ta... 2838 0 From Reactive to Proactive: 5 Steps to SOC Ma... 5156 0 Contents What is Latrodectus malware? Latrodectus malware technical details Latrodectus execution process Gathering threat intelligence on Latrodectus malware Latrodectus malware distribution methods Conclusion Recent blog posts Building Phishing Detection That Works: 3 Ste... 671 0 ClickFix Meets AI: A Multi-Platform Attack Ta... 2838 0 From Reactive to Proactive: 5 Steps to SOC Ma... 5156 0 What is Latrodectus malware? Latrodectus is a type of malware known as a "loader," which is designed to download and install additional malicious software onto a compromised computer. It is believed to have been developed by the same individuals or group behind the IcedID trojan, a sophisticated and widespread banking malware. Since 2023, Latrodectus has been extensively used by a variety of threat actors, including advanced persistent threat (APT) groups such as TA578 and TA577, which was previously observed delivering the Qbot malware, a banking trojan family. Latrodectus is typically delivered as part of multi-stage attacks, which often begin with a phishing email containing a malicious JavaScript file attachment. However, it has also been known to be dropped by other malware, including the DanaBot trojan. One of the key features that has allowed security researchers to link Latrodectus to the IcedID authors is the use of a similar command and control (C2) infrastructure. C2 servers are used by malware to communicate with their operators, receive instructions, and exfiltrate data. Get started today for free Analyze malware and phishing in a fully-interactive sandbox Create free account Latrodectus malware technical details The primary functionality of Latrodectus is to receive commands from the attackers and perform them. Some of the key capabilities of Latrodectus include: Getting a list of filenames of files located on the desktop of the infected machine. Listing all the processes currently running on the device. Gathering and transmitting additional system information about the endpoint, such as the OS version and hardware specs. Launching of executable files to install malware or to perform other malicious actions. Detonating dynamic link library (DLL) files. Using Windows command prompt to execute commands. A typical Latrodectus infection chain begins with a JavaScript file that is responsible for downloading a malicious .msi file, which then leads to the deployment of the final payload on the system. The malware implements obfuscation techniques, such as encrypting strings, to make it more difficult for researchers to analyze. It communicates with its command and control (C2) server via HTTPS, with both requests and responses encrypted using RC4 and base64 encoding. Furthermore, Latrodectus has a built-in sandbox detection mechanism that works by enumerating the number of active processes on the device and checking for the presence of a MAC address. The malware can establish a scheduled task for persistence, ensuring that it remains active on the infected machine even after a reboot. It also verifies if the computer is already infected with Latrodectus and exits execution if the result is positive. Latrodectus execution process Let’s detonate a sample of the Latrodectus malware in the ANY.RUN sandbox to observe its execution chain. The infiltration process of the Latrodectus malware involves a sequence of steps that ultimately lead to its successful operation on a target system. Upon launching a JavaScript file, it automatically retrieves an installer MSI. This MSI file implants a Latrodectus Dynamic Link Library (DLL) onto the system, allowing the malware to maintain persistence even after the system is rebooted. Latrodectus process graph in ANY.RUN Once implanted, the Latrodectus malware establishes communication with its command-and-control (C2) server, providing remote access to the infected device for malicious actors. Gathering threat intelligence on Latrodectus malware To collect up-to-date intelligence on Latrodectus, use Threat Intelligence Lookup . This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox . With over 40 customizable search parameters , including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like Latrodectus. Search results for Latrodectus in Threat Intelligence Lookup For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"latrodectus" AND domainName:"" will generate a list of other data extracted from Lumma samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior. Integrate ANY.RUN’s threat intelligence solutions in your company Contact us Latrodectus malware distribution methods Phishing emails are the most common attack vector by threat actors for distributing Latrodectus malware. These emails are typically designed to appear as if they have been sent from a legitimate organization or individual, to trick the recipient into opening an attached file or clicking on a malicious link. In one particular campaign, the threat actor group TA578 was observed to be spreading Latrodectus as part of a scheme that involved accusing target companies of copyright infringement. The phishing emails in this campaign were designed to look like they were sent from a legitimate organization. In another instance, a fake Azure page was used to initiate the infection chain. Conclusion Latrodectus is a noteworthy loader that presents a challenge due to its widespread use by professional cyber criminal groups. Its capacity to deploy payloads, along with its advanced obfuscation and evasion methods, as well as continuous development contribute to its potential to become an even more serious threat. ANY.RUN is a cloud-based service that can be used to safely analyze suspicious files and URLs, including Latrodectus malware. It allows you to observe malware behavior and collect indicators of compromise in a secure environment. Using ANY.RUN can help you understand Latrodectus's tactics and improve your defenses against it. Create your ANY.RUN account – it’s free! HAVE A LOOK AT WarmCookie badspace WarmCookie is a backdoor malware that cyber attackers use to gain initial access to targeted systems. It is often distributed through phishing emails, frequently using job recruitment lures to entice victims into downloading and executing the malware. Read More Lumma lumma Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Read More BlackMoon blackmoon BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods. Read More Stealc stealc Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Read More Cactus Ransomware cactus Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage. Read More MassLogger masslogger MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA. Read More YARA Search Search for threats by YARA in 2TB of real-world data Search for threats by YARA in 2TB of real-world data Try it now ANY.RUN is 8! From May 15 to May 31 From May 15 to May 31 Celebrate with us and grab your gift Get it now See the deals Safebrowsing Easy-to-use tool for fast URL analysis See how phishing behaves in a full-screen virtual browser Try beta for FREE Webinar March 27 Malware Analysis in ANY.RUN Detect malware in 40 seconds & collect IOCs in real-time Register now
← Back to stories