From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

Sept. 30, 2025, 8:46 a.m.

Description

A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence and lateral movement. They harvested credentials from multiple sources and exfiltrated data using Rclone. The intrusion lasted nearly two months with intermittent C2 connections, discovery, lateral movement, and data theft. Despite comprehensive access to critical infrastructure, no ransomware deployment was observed.

Tags
cobalt strike
javascript
latrodectus
data-exfiltration
lateral-movement
brute ratel c4
backconnect
credential-harvesting
cobalt-strike
2025-09-29

Date

  • Created: Sept. 29, 2025, 4:37 p.m.
  • Published: Sept. 29, 2025, 4:37 p.m.
  • Modified: Sept. 30, 2025, 8:46 a.m.

Attack Patterns

  • BackConnect
  • Latrodectus
  • Brute Ratel C4
  • Cobalt Strike - S0154
  • Lunar Spider