Latrodectus Malware Loader is Identified as the Successor to IcedID in Email Phishing Campaigns

Latrodectus Malware Loader

Latrodectus Malware Loader is Identified as the Successor to IcedID in Email Phishing Campaigns

Beginning in early March 2024, cybersecurity researchers have identified an increase in email phishing campaigns that distribute Latrodectus, an emerging malware launcher that is considered to be the successor to the IcedID malware.

Elastic Security Labs researchers Daniel Stepanic and Samir Bousseaden stated, “These campaigns usually include a recognizable infection chain involving oversized JavaScript files that utilize WMI’s capability to run msiexec.exe and install a remotely-hosted MSI file, remotely hosted on a WebDAV share.”

Latrodectus possesses the customary functionalities anticipated of malicious software engineered to distribute supplementary payloads, including QakBot, DarkGate, and PikaBot. These capabilities enable malicious actors to execute a multitude of post-exploitation endeavors.

An examination of the most recent Latrodectus artifacts has unveiled a substantial emphasis on enumeration and execution, in addition to the integration of a self-delete mechanism for removing active files.

In addition to disguising itself as libraries linked to authentic software, the malware employs source code obfuscation and conducts anti-analysis checks to impede its execution in a sandbox or debugging environment.

In addition to establishing contact with a command-and-control (C2) server via HTTPS to receive commands that enable it to gather system information, update, restart, and terminate itself, as well as execute shellcode, DLL, and executable files, Latrodectus configures persistence on Windows hosts via a scheduled task.

Since its emergence in late December, the malware has acquired two additional capabilities: enumerating files in the desktop directory and retrieving the complete ancestry of ongoing processes from the infected device.

Additionally, it provides support for a command (ID 18) to obtain and execute IcedID from the C2 server. However, Elastic has not observed this behavior in practice.

“There certainly is a type of development link or collaboration between IcedID and Latrodectus,” the investigators stated.

“One hypothesis being considered is that LATRODECTUS is being actively developed as a replacement for IcedID, and the handler (#18) was included until malware authors were satisfied with Latrodectus’ capabilities.”

The revelation coincides with Forcepoint’s analysis of a phishing campaign that distributes the DarkGate malware via email solicitations resembling invoices.

Phishing emails masquerading as QuickBooks invoices initiate the attack chain by instructing recipients to install Java by selecting an embedded link that directs them to a malicious Java archive (JAR). By utilizing an AutoIT script, the JAR file facilitates the execution of a PowerShell script that is tasked with downloading and launching DarkGate.


Social engineering campaigns have additionally utilized an updated iteration of the Tycoon phishing-as-a-service (PhaaS) platform in order to obtain session data from Gmail and Microsoft 365, as well as circumvent multi-factor authentication (MFA) safeguards.

“This new version boasts enhanced detection evasion capabilities that make it even harder for security systems to identify and block the kit,” Proofpoint reported. “Significant alterations to the kit’s JavaScript and HTML code have been implemented to increase its stealthiness and effectiveness.”

These encompass obfuscation methods employed to complicate the comprehension of the source code and dynamic code generation utilized to modify the code during each execution, thereby eluding detection systems that rely on signatures.

Additional social engineering campaigns identified in March 2024 exploited Google ads masquerading as Rufus and Calendly to spread D3F@ck Loader, a malware loader that first surfaced in cybercrime forums in January 2024. These campaigns ultimately distributed Raccoon Stealer and DanaBot.

Late last month, the cybersecurity firm eSentire stated, “The case of D3F@ck Loader demonstrates how malware-as-a-service (MaaS) continues to evolve by utilizing [Extended Validation] certificates to circumvent trusted security measures.”

In addition, the revelation coincides with the appearance of novel stealer malware families, including Fletchen Stealer, WaveStealer, zEus Stealer, and Ziraat Stealer. Furthermore, it has been observed that the Remcos remote access trojan (RAT) is enhancing its functionalities through the utilization of a PrivateLoader module.

The SonicWall Capture Labs threat research team stated, “[Remcos] malware can completely infiltrate a system without being detected by installing VB scripts, modifying the registry, and configuring services to restart the malware at constant or controlled intervals.”

one year cyber security diploma course

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.


Phishing Your Multi-Factor Authentication Codes is a Simple Task for Fraudsters. Here is How To Prevent It

The Vizag Cyber Police Captures Illicit Recruiters Providing Cyber Slaves to Cambodia

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?