Tag: latrodectus

20 Attack Reports | 0 Vulnerabilities

Attack reports

Interlock and Rhysida within the Ransomware Ecosystem

This analysis examines over two years of observations on the ransomware ecosystem surrounding Interlock and Rhysida threat groups. Hive0163 (Interlock) employs custom malware including NodeSnake, InterlockRAT, JunkFiction downloader, Supper, and Interlock ransomware, with identified links to TAG-12…
ransomware
socgholish
vidar
sliver
latrodectus
gootloader
clickfix
systembc
rhysida
portstarter
initial access broker
interlock
trojanized installers
nodesnake
inc
broomstick
modelorat
interlockrat
mintloader
supper
CVE-2026-20131
2026-06-12
berserk stealer
CVE-2023-36036
dave
endico
icenova
junkfiction
mallard
ntlmthief
plus keylogger
supper backdoor
tomb
tomb crypter
Published: June 12, 2026
Linked vulnerabilities : CVE-2026-20131 (CVSS 10.0), CVE-2023-36036
Downloadable IOCs: 102

ClickFix in action: how fake captcha can encrypt an entire company

The report details a malware attack on a large Polish organization involving fake CAPTCHA techniques. It describes the initial infection vector, where users were tricked into running malicious code through a Windows+R shortcut. The analysis covers two main malware families: Latrodectus (version 2.3…
ransomware
side-loading
persistence
latrodectus
clickfix
malware analysis
c2 communication
fake captcha
2026-02-19
supper
Published: February 19, 2026
Downloadable IOCs: 17

Malicious Infrastructure Finds Stability with aurologic GmbH

German hosting provider aurologic GmbH has become a central hub for high-risk hosting networks, providing upstream transit to multiple threat activity enablers. These include sanctioned entities like Aeza Group and other providers associated with cybercrime and disinformation campaigns. aurologic's…
cobalt strike
amadey
asyncrat
cybercrime
rhadamanthys stealer
vidar
phorpiex
dcrat
sliver
latrodectus
disinformation
bianlian
stealc
redline stealer
lumma
meduza stealer
infrastructure
quasarrat
systembc
remcos rat
risepro stealer
darkcomet
dark crystal rat
svcstealer
hosting
castleloader
2025-11-06
moobot
neutrality
transit
sanctions
thc hydra
upstream
tinyloader
abuse
aurologic
destiny stealer
aurotun
castlerat
Published: November 6, 2025
Downloadable IOCs: 23

Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates

The Rhysida ransomware gang, formerly known as Vice Society, is conducting an ongoing malicious ad campaign to deliver OysterLoader malware. This initial access tool establishes a foothold on devices for dropping a persistent backdoor. The campaign uses Bing search engine advertisements to direct u…
ransomware
malvertising
latrodectus
initial access
code-signing
2025-11-03
microsoft trusted signing
oysterloader
Published: November 3, 2025
Downloadable IOCs: 271

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence …
cobalt strike
javascript
latrodectus
data-exfiltration
lateral-movement
brute ratel c4
backconnect
credential-harvesting
cobalt-strike
2025-09-29
Published: September 29, 2025
Downloadable IOCs: 0

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate …
obfuscation
screenconnect
phishing
social engineering
malvertising
infostealer
macos
darkgate
lumma stealer
latrodectus
remote access tool
mintsloader
atomic macos stealer (amos)
lampion
2025-08-21
windows run dialog
Published: August 21, 2025
Downloadable IOCs: 10

Fix the Click: Preventing the ClickFix Attack Vector

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetS…
rat
social engineering
typosquatting
powershell
infostealer
lumma stealer
latrodectus
autoit
clickfix
netsupport rat
clipboard hijacking
2025-07-10
Published: July 10, 2025
Downloadable IOCs: 65

Danabot: Analyzing a fallen empire

ESET Research shares insights into Danabot, an infostealer recently disrupted by law enforcement. The malware, tracked since 2018, evolved from a banking trojan to a versatile tool for data theft and malware distribution. Operated as a malware-as-a-service, Danabot offered features like data steali…
infostealer
lockbit
data theft
darkgate
zloader
botnet
lumma stealer
matanbuchus
cybercrime
danabot
latrodectus
malware-as-a-service
smokeloader
banking trojan
systembc
buran
rescoms
recordbreaker
ursnif
2025-05-23
2025-05-25
nonransomware
proxy servers
crisis
c&c infrastructure
malware-as-service
Published: May 25, 2025
Downloadable IOCs: 1

Threat actors misuse Node.js to deliver malware and other malicious payloads

Since October 2024, threat actors have been leveraging Node.js to deliver malware and payloads for information theft and data exfiltration. A recent malvertising campaign uses cryptocurrency trading themes to lure users into downloading malicious installers. The attack chain includes initial access…
node.js
remcos
latrodectus
stilachirat
ahkbot
2025-04-15
raccoono365
Published: April 15, 2025
Downloadable IOCs: 0

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid de…
malware
phishing
social engineering
remcos
credential theft
latrodectus
guloader
redirection
qr codes
remote access trojans
2025-04-03
tax season
ahkbot
bruteratel c4
Published: April 3, 2025
Downloadable IOCs: 0

A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io

This guide demonstrates how to use Hunt.io to investigate and track malicious infrastructure. Starting with a single suspicious IP address, the process involves analyzing hosting providers, domain information, open ports, HTTP responses, and TLS certificates. The investigation reveals connections t…
latrodectus
malicious infrastructure
osint
tls certificates
threat hunting
2025-03-25
latrodectus malware
sql queries
hunt.io
network scanning
cryptocurrency fraud
Published: March 25, 2025
Downloadable IOCs: 0

2024 Malicious Infrastructure Insights: Key Trends and Threats

The report highlights significant trends in malicious infrastructure for 2024, including the rise of malware-as-a-service infostealers, continued dominance of Cobalt Strike among offensive security tools, and increased use of legitimate services by threat actors. Key findings include LummaC2's domi…
lummac2
plugx
cobalt strike
asyncrat
cybercrime
infostealers
dcrat
latrodectus
botnets
mobile malware
malicious infrastructure
quasarrat
hook
gobrat
brute ratel c4
remote access trojans
2025-02-28
traffic distribution systems
mozi botnet
state-sponsored groups
command-and-control servers
solarmarker rat
offensive security tools
Published: February 28, 2025
Downloadable IOCs: 0

Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader

A new malware called Pronsis Loader has been discovered, with similarities to D3F@ck Loader. Both use JPHP-compiled executables, but Pronsis uses NSIS for installation instead of Inno Setup. Pronsis Loader typically delivers Lumma Stealer and Latrodectus payloads. It employs defense evasion techniq…
lumma stealer
latrodectus
d3f@ck loader
pronsis loader
2024-12-04
jphp
Published: December 4, 2024
Downloadable IOCs: 0

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are emp…
xworm
phishing
social engineering
powershell
darkgate
lumma stealer
asyncrat
danabot
latrodectus
netsupport
cybersecurity
clickfix
threat actors
brute ratel c4
2024-11-18
malware delivery
lucky volunteer
recaptcha phish
threat landscape
Published: November 18, 2024
Downloadable IOCs: 0

LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

LUNAR SPIDER, a Russian-speaking financially motivated threat group, has resumed operations following law enforcement disruptions. They've shifted from using IcedID to leveraging Latrodectus and Brute Ratel C4 malware, targeting financial services through SEO poisoning malvertising campaigns. The g…
ransomware
malvertising
seo poisoning
icedid
latrodectus
2024-10-31
brute ratel c4
financial sector
infrastructure sharing
Published: October 31, 2024
Downloadable IOCs: 0

New Bumblebee Loader Infection Chain Signals Possible Resurgence

A new infection chain for the Bumblebee loader malware has been discovered, potentially indicating its resurgence after Operation Endgame. The sophisticated downloader, first identified in March 2022, is used by cybercriminals to access corporate networks and deliver payloads like Cobalt Strike bea…
loader
pikabot
phishing
cobalt strike
icedid
lnk
darkgate
latrodectus
stealth
2024-10-21
msi
bumblebee
infection-chain
in-memory-execution
Published: October 21, 2024
Downloadable IOCs: 11

Inside the Latrodectus Malware Campaign

The Latrodectus malware campaign employs a combination of traditional phishing techniques and innovative payload delivery methods to target financial, automotive, and healthcare sectors. The attack chain begins with compromised emails containing malicious PDF or HTML attachments, which redirect use…
obfuscation
phishing
icedid
javascript
healthcare
latrodectus
financial
2024-10-21
msi
dll
automotive
activex
rundll32
Published: October 21, 2024
Downloadable IOCs: 20

Latrodectus Rapid Evolution Continues With Latest New Payload Features

This report discusses the latest updates to the Latrodectus malware, including a different string deobfuscation approach, a new C2 endpoint, and two new backdoor commands. It provides an in-depth analysis of the new version 1.4, focusing on the new features added or updated in this variant. The rep…
malware
icedid
analysis
payload
latrodectus
2024-08-30
evolution
Published: August 30, 2024
Downloadable IOCs: 10

Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site

The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persist…
malware
phishing
stealer
latrodectus
downloader
cybersecurity
acr stealer
2024-08-20
Published: August 20, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21412, CVE-2024-21893
Downloadable IOCs: 15

Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID

LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
malware
loader
icedid
cybercrime
2024-05-17
latrodectus
financially-motivated
Published: May 17, 2024
Downloadable IOCs: 7
Click here to see more Attack Reports