{ "id": "287ec92c-f430-4a61-b4ee-d3d590206f9d", "created_at": "2026-04-06T00:22:32.593379Z", "updated_at": "2026-04-10T13:11:35.068328Z", "deleted_at": null, "sha1_hash": "38bfe1db5909e001737043529945621ddd7dcb28", "title": "Latrodectus BackConnect", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1248766, "plain_text": "Latrodectus BackConnect\r\nBy Erik Hjelmvik\r\nPublished: 2025-12-10 · Archived: 2026-04-05 14:04:32 UTC\r\n, \r\nWednesday, 10 December 2025 13:00:00 (UTC/GMT)\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 1 of 15\n\nThis blog post demonstrates how artifacts, such as reverse shell commands and VNC session screenshots, can be\r\nextracted from Latrodectus BackConnect C2 traffic with NetworkMiner.\r\nI recently learned that the great folks from The DFIR Report have done a writeup covering the Latrodectus\r\nbackdoor. Their report is titled From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 2 of 15\n\nI found it particularly interesting that the threat actors used Latrodectus to drop a BackConnect RAT to the victim\r\nPC. I have verified that this RAT’s Command and Control (C2) traffic is using the exact same BackConnect C2\r\nprotocol as what would previously be seen in IcedID and QakBot infections.\r\nThis BackConnect RAT supports features such as:\r\nReverse VNC (Keyhole)\r\nReverse SOCKS\r\nReverse shell (cmd.exe or powershell)\r\nFile manager\r\nNetworkMiner\r\nI immediately recognized the BackConnect protocol because I spent many hours reverse engineering that protocol\r\nback in 2022. I later spent even more time building a parser for it in 2023. This BackConnect parser was\r\neventually published as part of the NetworkMiner 2.8.1 release.\r\nI was happy to see that NetworkMiner could parse the BackConnect traffic in The DFIR Report’s Latrodectus case\r\n(#TB28761).\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 3 of 15\n\nThe only caveat was that I had to use NetworkMiner Professional, because it has a built-in protocol detection\r\nfeature that detects the BackConnect traffic and applies the correct parser. That feature isn’t included in the free\r\nversion of NetworkMiner, which is why it doesn’t know what to do with this strange looking TCP traffic to port\r\n443.\r\nBelow are some screenshots extracted with NetworkMiner Professional from the BackConnect reverse VNC\r\ntraffic.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 4 of 15\n\nImage: Keyhole reverse VNC session\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 5 of 15\n\nImage: Attacker fails to inspect ad_users.txt\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 6 of 15\n\nImage: Attacker launches additional malware with rundll\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 7 of 15\n\nThe reverse VNC activity spanned a period of over two weeks, which is very impressive for this type of intrusion\r\ndata set. The threat actors used the BackConnect reverse VNC service to access the machine several times during\r\nthis period, for example to steal credentials and install additional malware.\r\nA histogram of interactive BackConnect events, including reverse shell, VNC and file manager sessions, show that\r\nthe majority of the work was carried out around 12pm UTC.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 8 of 15\n\nKeylog of the Attacker\r\nNot only does the BackConnect network traffic from the intrusion allow us to extract screenshots from the VNC\r\ntraffic. NetworkMiner also extracts the attacker’s hands-on keyboard activity.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 9 of 15\n\nThe keylog shows that the attacker accidentally typed “cd //” instead of “cd ..” at one point. Here’s the screenshot\r\nthat NetworkMiner extracted from the reverse VNC traffic after the attacker had corrected the typo.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 10 of 15\n\nThis typo might seem a bit odd, but if you compare the US keyboard layout with the Russian Cyrillic one, then\r\nyou’ll see that the dot key on the Cyrillic keyboard is at the same place as slash on the US keyboard.\r\nImage: Russian Windows keyboard layout from Wikipedia\r\nThis reminds me of another BackConnect infection, captured by Brad Duncan, which he named IcedID (BokBot)\r\ninfection with Keyhole VNC and Cobalt Strike. Here’s a screenshot that NetworkMiner extracted from the PCAP\r\nfile shared by Brad:\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 11 of 15\n\nThe attacker can be seen typing “фьфящт” into the browser’s address bar in that VNC session. Фьфящт doesn’t\r\nmean anything in Russian, but the individual positions on the Russian keyboard corresponds to “amazon” on a\r\nstandard Latin keyboard layout.\r\nReverse Shell\r\nNetworkMiner also extracts commands from BackConnect reverse shell sessions.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 12 of 15\n\nThis screenshot shows that the attacker sent the following command to the reverse shell:\r\nrundll32 C:\\ProgramData\\sys.dll,StartUp471\r\nThis command launched a Cobalt Strike implant that connected to avtechupdate[.]com. Analysis of the Cobalt\r\nStrike C2 traffic is not in the scope for this blog post though, but the original writeup for this lab contains\r\nadditional details on the Cobalt Strike infection.\r\nThe attacker later issued another rundll command to launch another red-team/penetration testing tool, namely\r\nBrute Ratel C4.\r\nrundll32 wscadminui.dll, wsca\r\nThis Brute Ratel backdoor connected to C2 servers on erbolsan[.]com and a few other domains (see IOC list). The\r\nDFIR Report’s writeup contains additional information about that payload as well.\r\nAbout The DFIR Report\r\nThe DFIR Report provide analysis of cyber intrusions, detailing the tactics, techniques, and procedures used by\r\nattackers. They share insights into various attacks, from initial access to execution, and offer private threat briefs\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 13 of 15\n\nand reports for organizations.\r\nA lab containing Elastic or Splunk data from this infection can be purchased from The DFIR Report’s store. Look\r\nfor the lab titled “The Lunar Tangled Malware Web - Public Case #28761”. The DFIR Report also sell access to a\r\nthreat intelligence service, which contains even more detailed lab data from this and other malware infections.\r\nNetresec is not affiliated with The DFIR Report.\r\nIOC List\r\nThe analyzed infection is from 2024, so these indicators are in no way fresh. They are included here for research\r\npurposes and to facilitate retro hunting.\r\nBackConnect C2 ip:port\r\n185.93.221.12:443\r\n193.168.143.196:443\r\nLatrodectus domains\r\ngrasmetral[.]com\r\nilloskanawer[.]com\r\njarkaairbo[.]com\r\nscupolasta[.]store\r\nworkspacin[.]cloud\r\nCobalt Strike C2 URI\r\nhxxps://resources.avtechupdate[.]com/samlss/vm.ico\r\nBrute Ratel C4 domains\r\ndauled[.]com\r\nerbolsan[.]com\r\nkasym500[.]com\r\nkasymdev[.]com\r\nsamderat200[.]com\r\nNetwork Forensics Training\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 14 of 15\n\nCheck out our network forensics training if you want to learn more about analyzing malware traffic in PCAP files.\r\nI will teach an online class for incident responders and blue teams on February 23-26. That class allows a\r\nmaximum of 15 attendees in order to provide a good environment for taking questions. So don’t miss out on this\r\nchance to get your hands dirty with some packet analysis together with me!\r\nPosted by Erik Hjelmvik on Wednesday, 10 December 2025 13:00:00 (UTC/GMT)\r\nTags: #BackConnect#IcedID#VNC#Keyhole#NetworkMiner\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect\r\nPage 15 of 15\n\n https://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect \nThe keylog shows that the attacker accidentally typed “cd //” instead of “cd ..” at one point. Here’s the screenshot\nthat NetworkMiner extracted from the reverse VNC traffic after the attacker had corrected the typo.\n Page 10 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.netresec.com/?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect" ], "report_names": [ "?page=Blog\u0026month=2025-12\u0026post=Latrodectus-BackConnect" ], "threat_actors": [ { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434952, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38bfe1db5909e001737043529945621ddd7dcb28.pdf", "text": "https://archive.orkl.eu/38bfe1db5909e001737043529945621ddd7dcb28.txt", "img": "https://archive.orkl.eu/38bfe1db5909e001737043529945621ddd7dcb28.jpg" } }