{
	"id": "cd1b6801-c7fd-44bf-b5ef-9a358e7650dc",
	"created_at": "2026-04-06T01:31:02.385365Z",
	"updated_at": "2026-04-10T03:31:17.302962Z",
	"deleted_at": null,
	"sha1_hash": "029f868cd5d1ef2addf62de10de68d97b86c899c",
	"title": "Latrodectus Affiliate Resumes Operations Using Brute Ratel C4 Post Operation Endgame",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 642347,
	"plain_text": "Latrodectus Affiliate Resumes Operations Using Brute Ratel C4\r\nPost Operation Endgame\r\nBy Binary Analysis\r\nPublished: 2024-06-24 · Archived: 2026-04-06 00:54:26 UTC\r\nExecutive Summary\r\nRevEng.AI observed a Latrodectus sample (a.k.a. Unidentified 111, Lotus, BLACKWIDOW, IceNova) delivery\r\nchain using a malicious JavaScript (JS) stager uploaded to a third-party public malware scanning service on 23\r\nJune 2024. Since early January until the present, RevEng.AI has observed versions 1.1 to 1.3 in operational use by\r\nthe adversary (although earlier versions do exist, as documented by industry reporting [1]).\r\nLatrodectus is a loader typically delivered by phishing emails containing a shortened link to a likely compromised\r\ncaptcha-gated WordPress website, masquerading as legitimate services such as Cloudflare. The use of a captcha-gated delivery website is likely to circumvent automated payload retrieval. The user is prompted to download and\r\nexecute an MSI (Microsoft Windows Installer), and in some cases, the delivery chain also contains a PDF to\r\nsocially engineer the user. The malware borrows code heavily from the open-source BlackLotus malware [2],\r\nwhich contains a ready-to-use bot and command-and-control (C2) component.\r\nLatrodectus was one of the many malware families targeted by Operation Endgame, an international law\r\nenforcement effort against malware loader infrastructure [5]. Since the operation, Latrodectus has quickly rebuilt\r\nits infrastructure and returned to its standard mode of operation.\r\nThis blog post covers the most recent distribution chain, noteably the use of Brute Ratel, and the anti-analysis\r\nmethods employed by the malware.\r\nLatrodectus Delivery Chain\r\n1. JavaScript - Download \u0026 Execute MSI\r\nThe JavaScript-based stager (SHA-256:\r\n3ac8decd825d1ed7a86ed86d7789b44c0f0c467d4f482ab0863df1b7b1e3e8cc ), named Form_Ver-11-58-52.js , for\r\nthis distribution campaign is configured with the msiPath of http[:]//85.208.108[.]63/BST.msi . The JS file\r\nis consistent with previous campaigns used to download and execute Latrodectus MSIs. The\r\nInstaller.InstallProduct API is used [3], which natively handles the download and execution of local and\r\nremote MSIs (HTTP, UNC path, etc.).\r\n2. MSI Package\r\nThe MSI creates a child process to decompresses the contents of a bundled CAB archive (SHA-256:\r\nc89d15789fd9e0b23e62bbf038d2ddbcea5618573517f3382790b4b0434933df ) named disk1.cab to %APPDATA% .\r\nhttps://blog.reveng.ai/latrodectus-distribution-via-brc4/\r\nPage 1 of 8\n\nThe CAB file contains the malicious DLL file aclui.dll (SHA-256:\r\nc5dc5fd676ab5b877bc86f88485c29d9f74933f8e98a33bddc29f0f3acc5a5b9 ), which is a packed Brute Ratel C4\r\n(BRC4) badger implant. The DLL export edit is then executed using rundll32.exe by the MSI installer, i.e:\r\nrundll32.exe C:\\Users\\Ivan\\AppData\\aclui.dll,edit .\r\nAlthough Brute Ratel is a legitimate red-teaming tool, it has been previously used by threat actors [4].\r\n3. BRC4 Badger\r\nAfter BRC4 unpacks itself (SHA-256: 0d3fd08d237f2f22574edf6baf572fa3b15281170f4d14f98433ddeda9f1c5b2 )\r\nand self-injects, a long sleep is likely used to avoid immediate execution by automated sandbox solutions. The C2\r\nconfiguration for the BRC4 badger can be observed below in Table 1.\r\nKey Value Channel\r\nC2\r\nbarsen[.]monster:7444\r\nkurvabbr[.]pw:7444\r\nHTTPS\r\nTable 1 - Badger Configuration\r\nThe configuration hosts, at the time of writing, resolve to 94.232.249[.]86 .\r\n4. Latrodectus 1.3 via BRC4\r\nThe BRC4 badger is configured to execute a Latrodectus payload upon a victim connecting. The Latrodectus core\r\nbot component ( dbd85d5dd501bb7fad3990f0801d32da438a5bc60bd7cf6999d5bc535291146c ) is injected into the\r\ncommon target explorer.exe . The full configuration of this Latrodectus sample is avaliable in the Latrodectus\r\nConfiguration section.\r\nThe stealer module is also downloaded and injected into the current process, explorer.exe , (SHA-256:\r\n44ccc3fbd3e15e8bdb063616d9baa37b1f9ab9121759fd467c943b7611860f72 ), targeting Microsoft Edge, Microsoft\r\nInternet Explorer, Microsoft Outlook, Firefox, Google Chrome, 360 Browser, Yandex Browser, and more.\r\nRevEng.AI AI binary code similarity engine was able to quickly recover SQLite debug symbols within the stealer\r\nmodule and aid in the reverse-engineering process:\r\nhttps://blog.reveng.ai/latrodectus-distribution-via-brc4/\r\nPage 2 of 8\n\nFigure 1 - SQLite Symbol Recovery\r\nAnti-Analysis Techniques\r\nLatrodectus leverages several anti-analysis methods to hinder reverse-engineering efforts and detection by security\r\nsolutions.\r\nString Obfuscation\r\nThe malware makes heavy use of string obfuscation to hide artifacts from analysts. Latrodectus 1.1 utilized a\r\npseudorandom number generator (PRNG), using a hardcoded seed, to derive the XOR key for deobfuscation.\r\nObfuscated strings within Latrodectus 1.2 and 1.3 are stored using a relatively simple structure and deobfuscated\r\nwhen required. The strings are stored using the following binary format in Figure 2.\r\nstruct latrodectus_string {\r\n_DWORD dwKey;\r\n_WORD wSeed;\r\n_UCHAR uBuf[];\r\n};\r\nFigure 2 - Obfuscated string binary format\r\nThe obfuscation algorithm is simple, and makes use of XOR and ADD operations. A reimplemented version in\r\nPython of the deobfuscation algorithm can be observed below in Figure 3. It is noteworthy that the actual size of\r\nhttps://blog.reveng.ai/latrodectus-distribution-via-brc4/\r\nPage 3 of 8\n\nthe obfuscated string is derived from the XOR operation of the wSeed and dwKey fields.\r\ndef latro_deobf(buffer: bytes) -\u003e str:\r\n string = cparser._latrodectus_string(buffer)\r\n \r\n size = (string.wSeed ^ string.dwKey) \u0026 0xFFF\r\n out_buf = bytearray(size)\r\n for i in range(size):\r\n string.dwKey += 1\r\n out_buf[i] = (string.uBuf[i] + 10) \u0026 0xFF\r\n out_buf[i] = (string.dwKey ^ string.uBuf[i]) \u0026 0xFF\r\n return out_buf.decode(\"utf-8\")\r\nFigure 3 - String deobfuscation routine reimplementation\r\nDynamic API Resolution via Windows API Hashing\r\nLatrodectus uses CRC32 to resolve Windows APIs at runtime by walking the InMemoryOrderModuleList found\r\nwithin the PEB to first retrieve the addresses of loaded ntdll.dll ( 0x26797E77 ) and kernel32.dll\r\n( 0x2ECA438C ) modules.\r\nThe structure and control-flow used by Latrodectus is reminiscent of the BlackLotus' API resolution routine,\r\nwhich is avaliable in open-source.\r\nstruct latrodectus_api_entry\r\n{\r\n_DWORD dwFuncHash;\r\n_HMODULE* hModule;\r\n_LPVOID* pFunc;\r\n};\r\nFigure 4 - API Table Entry\r\nThe API table is built sequentially during the initialisation phase of the malware. The building of the API table in\r\nC-pseudocode can be seen below in Figure 5.\r\napi_tbl[0].FunctionHash = 0xE0762FEB; /* NtAllocateVirtualMemory */\r\napi_tbl[0].Module = \u0026pNtdll;\r\napi_tbl[0].Function = \u0026NtAllocateVirtualMemory;\r\napi_tbl[1].FunctionHash = 0xB46508B5; /* RtlGetVersion */\r\napi_tbl[1].Module = \u0026pNtdll;\r\napi_tbl[1].Function = \u0026RtlGetVersion;\r\nhttps://blog.reveng.ai/latrodectus-distribution-via-brc4/\r\nPage 4 of 8\n\nFigure 5 - Building of Windows API function table based on CRC32 hash\r\nAnti-Debug\r\nLatrodectus makes use of the well-known and documented method of checking if the IsDebugged flag is set\r\nwithin the processes' PEB [6]. This is a common and effective method regularly employed to evade debuggers. A\r\nreimplementation in C-pseudocode can be observed in Figure 6. This is also likely borrowed code from the\r\nBlackLotus open-source project. [2]\r\nint64 latro::is_debugged()\r\n{\r\n return util::current_peb()-\u003eIsDebugged;\r\n}\r\nFigure 6 - PEB based anti-debugging measure employed by Latrodectus\r\nHost Environment Process Count Checks\r\nThe host environment checks within Latrodectus includes checking the number of processes which are running,\r\nwith different thresholds per Windows NT version. It is likely these checks are used to evade sandbox, emulation-based approaches, or other analysis environments in which the number of processes would be irregular.\r\nIf the number of processes and version constraint matches, as defined in Table 2, the malware will simply exit.\r\nThis anti-analysis technique is not unique to Latrodectus, and has been used by the likes of the EvilBunny\r\nimplant.\r\nWindows Version Constraint Process Number Trigger\r\n\u003e= Windows 10 Less than 75\r\n=\u003e Windows Server 2003 R2 \u0026\u0026 \u003c= Windows Server 2012/R2 Less than 50\r\nTable 2 - Process check constraints per version\r\nNTFS Visibility Obscured via Alternate Data Stream (ADS)\r\nLatrodectus makes use of a trick to delete itself while the process is still running, making use of an alternative data\r\nstream (ADS) and a specific chain of API calls. The following sequence of events occurs to achieve this:\r\n1. The path to the current running process is gathered using GetModuleFileName . A HANDLE to the file is\r\nthen acquired via CreateFile with DELETE access.\r\n2. Call SetFileInformationByHandle with the FileRenameInfo class FileName member set to :wtfbbq .\r\n3. Again, call SetFileInformationByHandle , however with the FileDispositionInfo class member\r\nDeleteFile set to TRUE\r\n4. Close the HANDLE to trigger the DeleteFile\r\n5. The HANDLE is duplicated, then renamed to an ADS - in this instance, :wtfbbq .\r\nhttps://blog.reveng.ai/latrodectus-distribution-via-brc4/\r\nPage 5 of 8\n\nThis code has likely been borrowed from an open-source project [7] and slightly modified to use Latrodectus' API\r\nresolution and string obfuscation routine. The ADS name ( :wtfbbq ) remains unchanged. This is also used by\r\nRaspberryRobin, HelloXD Ransomware, DarkPower Ransomware and implemented in the Offensive Nim project.\r\nConclusion\r\nLatrodectus is a now-prominent malware loader that leverages a variety of anti-analysis techniques to avoid\r\ndetection and thwart reverse engineering efforts. Its reliance on open-source projects like BlackLotus, combined\r\nwith the ability to quickly adapt and incorporate such code, demonstrates the adversary's commitment to\r\nleveraging publicly available resources to enhance their malware capabilities.\r\nThe adversary behind Latrodectus has operational resilience in the face of takedowns, demonstrating the\r\nadversary's commitment to maintaining a robust malware delivery infrastructure.\r\nRevEng.AI Platform\r\nRevEng.AI cuts down on the reverse-engineering time in the analysis stage by using our state of the art binary AI\r\nmodel. Using our AI Binary Analysis platform, analysts were quickly able to identify the differences between each\r\nLatrodectus sample based at a function-level and binary-level to provide an overview of differences implemented\r\nby the malware developer version-to-version. Alongside this, the overlaps with BlackLotus.\r\nFigure 7 - RevEng.AI-identified Latrodectus and BlackLotus similarity analysis\r\nRevEng.AI allows analysts to quickly and easily cluster malware samples based on the code similarity observed\r\nbetween binaries.\r\nIOCs (Indicators of Compromise)\r\nHost IOCs\r\nSHA-256 Filename Description\r\n3ac8decd825d1ed7a86ed86d7789b44c0f0c467d4f482ab0863df1b7b1e3e8cc\r\nForm_Ver-11-58-52.js\r\nMalicious\r\nJavaScript\r\nDownloader\r\n4586250dbf8cbe579662d3492dd33fe0b3493323d4a060a0d391f20ecb28abf1 vpn.msi MSI file\r\nhttps://blog.reveng.ai/latrodectus-distribution-via-brc4/\r\nPage 6 of 8\n\nSHA-256 Filename Description\r\nc89d15789fd9e0b23e62bbf038d2ddbcea5618573517f3382790b4b0434933df disk1.cab\r\nCAB\r\narchive\r\ncontaining\r\npacked\r\nBRC4\r\nBadger\r\nc5dc5fd676ab5b877bc86f88485c29d9f74933f8e98a33bddc29f0f3acc5a5b9 aclui.dll\r\nPacked\r\nBrute Ratel\r\nBadger\r\n0d3fd08d237f2f22574edf6baf572fa3b15281170f4d14f98433ddeda9f1c5b2\r\nN/A, in-memory\r\nUnpacked\r\nBrute Ratel\r\nBadger\r\nStager\r\ndbd85d5dd501bb7fad3990f0801d32da438a5bc60bd7cf6999d5bc535291146c\r\nN/A,\r\ninjected into\r\nexplorer.exe\r\nLatrodectus\r\n1.3\r\n44ccc3fbd3e15e8bdb063616d9baa37b1f9ab9121759fd467c943b7611860f72\r\nN/A,\r\ninjected into\r\nexplorer.exe\r\nLatrodectus\r\nStealer\r\nModule\r\nTable 3 - Host IOCs\r\nNetwork IOCs\r\nHost Description\r\nhttps[:]//lettecoft[.]com/live/ Latrodectus C2 Endpoint\r\nhttps[:]//ultroawest[.]com/live/ Latrodectus C2 Endpoint\r\nhttps[:]//kalopvard[.]com/live/ Latrodectus C2 Endpoint\r\nhttps[:]//filomeranta[.]com/live/ Latrodectus C2 Endpoint\r\nultroawest[.]com Latrodectus C2 Host\r\nlettecoft[.]com Latrodectus C2 Host\r\nkalopvard[.]com Latrodectus C2 Host\r\nfilomeranta[.]com Latrodectus C2 Host\r\nhttps://blog.reveng.ai/latrodectus-distribution-via-brc4/\r\nPage 7 of 8\n\nHost Description\r\n185.93.221[.]108 Latrodectus C2 IP\r\n81.99.162[.]48 Latrodectus C2 IP\r\nbarsen[.]monster:7444 Brute Ratel C2\r\nkurvabbr[.]pw:7444 Brute Ratel C2\r\n94.232.249[.]86 Brute Ratel C2 IP\r\nhttp[:]//85[.]208.108[.]63/BST.msi MSI used by JavaScript Dropper\r\nTable 4 - Network IOCs\r\nLatrodectus Configuration\r\nKey Value\r\nC2\r\nhttps[:]//ultroawest[.]com/live/\r\nhttps[:]//lettecoft[.]com/live/\r\nhttps[:]//kalopvard[.]com/live/\r\nRC4 Key qNfSHTVKEU7mknHSFrQCwp0mmQfXUNPIcA66gezNz49qQOVX0P\r\nGroup Mercury (0x88e6542e)\r\nVersion 1.3\r\nTable 5 - Latrodectus Configuration\r\nFootnotes\r\n[1] - https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39,\r\nhttps://www.proofpoint.com/uk/blog/threat-insight/latrodectus-spider-bytes-ice\r\n[2] - https://github.com/ldpreload/BlackLotus\r\nhttps://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/\r\n[3] - https://learn.microsoft.com/en-us/windows/win32/msi/installer-installproduct\r\n[4] - https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/\r\n[5] - https://www.operation-endgame.com/\r\n[6] - https://github.com/ldpreload/BlackLotus/blob/main/src/Bot/antidebug.c\r\n[7] - https://github.com/LloydLabs/delete-self-poc/tags\r\nSource: https://blog.reveng.ai/latrodectus-distribution-via-brc4/\r\nhttps://blog.reveng.ai/latrodectus-distribution-via-brc4/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.reveng.ai/latrodectus-distribution-via-brc4/"
	],
	"report_names": [
		"latrodectus-distribution-via-brc4"
	],
	"threat_actors": [
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775439062,
	"ts_updated_at": 1775791877,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/029f868cd5d1ef2addf62de10de68d97b86c899c.pdf",
		"text": "https://archive.orkl.eu/029f868cd5d1ef2addf62de10de68d97b86c899c.txt",
		"img": "https://archive.orkl.eu/029f868cd5d1ef2addf62de10de68d97b86c899c.jpg"
	}
}