{ "id": "5044abfc-fb78-4dce-a723-6cccb5769452", "created_at": "2026-04-06T00:14:35.491206Z", "updated_at": "2026-04-10T03:37:26.6539Z", "deleted_at": null, "sha1_hash": "41d1c52df55145a4839e54b74c0e0ff17917d539", "title": "Latrodectus Malware Analysis: IcedID 2.0 | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3839506, "plain_text": "Latrodectus Malware Analysis: IcedID 2.0 | Proofpoint US\r\nBy Proofpoint Threat Research and Team Cymru S2 Threat Research\r\nPublished: 2024-03-29 · Archived: 2026-04-05 13:29:52 UTC\r\nProofpoint’s Threat Research team joined up with the Team Cymru S2 Threat Research team, in a collaborative effort to\r\nprovide the information security community with a comprehensive view of the threat activity described.\r\nKey takeaways \r\nProofpoint first observed new malware named Latrodectus appear in email threat campaigns in late November 2023. \r\nWhile use of Latrodectus decreased in December 2023 through January 2024, Latrodectus use increased in\r\ncampaigns throughout February and March 2024.  \r\nIt was first observed in Proofpoint data being distributed by threat actor TA577 but has been used by at least one\r\nother threat actor, TA578. \r\nLatrodectus is an up-and-coming downloader with various sandbox evasion functionality.  \r\nWhile similar to IcedID, Proofpoint researchers can confirm it is an entirely new malware, likely created by the\r\nIcedID developers.  \r\nLatrodectus shares infrastructure overlap with historic IcedID operations. \r\nWhile investigating Latrodectus, researchers identified new, unique patterns in campaign IDs designating threat actor\r\nuse in previous IcedID campaigns. \r\nOverview \r\nProofpoint identified a new loader called Latrodectus in November 2023. Researchers have identified nearly a dozen\r\ncampaigns delivering Latrodectus, beginning in February 2024. The malware is used by actors assessed to be initial access\r\nbrokers (IABs).  \r\nLatrodectus is a downloader with the objective of downloading payloads and executing arbitrary commands. While initial\r\nanalysis suggested Latrodectus was a new variant of IcedID, subsequent analysis confirmed it was a new malware most\r\nlikely named Latrodectus, based on a string identified in the code. Based on characteristics in the disassembled sample and\r\nfunctionality of the malware, researchers assess the malware was likely written by the same developers as IcedID. \r\nThis malware was first observed being distributed by TA577, an IAB known as a prolific Qbot distributor prior to the\r\nmalware’s disruption in 2023. TA577 used Latrodectus in at least three campaigns in November 2023 before reverting to\r\nPikabot. Since mid-January 2024, researchers observed it being used almost exclusively by TA578 in email threat\r\ncampaigns.  \r\nCampaign details \r\nTA577 \r\nTA577 was only observed using Latrodectus in three campaigns, all occurring in November 2023. Notably, a campaign that\r\noccurred on 24 November 2023 deviated from previously observed TA577 campaigns. The actor did not use thread\r\nhijacking, but instead used a variety of different subjects with URLs in the email body. The URLs led to the download of a\r\nJavaScript file. If executed, the JavaScript created and ran several BAT files that leveraged curl to execute a DLL and ran it\r\nwith the export “scab”.  \r\nFigure 1: Example TA577 campaign delivering Latrodectus. \r\nOn 28 November 2023, Proofpoint observed the last TA577 Latrodectus campaign. The campaign began with thread\r\nhijacked messages that contained URLs leading to either zipped JavaScript files or zipped ISO files. The zipped JavaScript\r\nfile used curl to download and execute Latrodectus. The zipped ISO file contained a LNK file used to execute the embedded\r\nDLL, Latrodectus. Both attack chains started the malware with the export “nail”. \r\nTA578 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 1 of 20\n\nSince mid-January 2024, Latrodectus has been almost exclusively distributed by TA578. This actor typically uses contact\r\nforms to initiate a conversation with a target. In one campaign observed on 15 December 2023, Proofpoint observed TA578\r\ndeliver the Latrodectus downloader via a DanaBot infection. This December campaign was the first observed use of TA578\r\ndistributing Latrodectus. \r\nOn 20 February 2024, Proofpoint researchers observed TA578 impersonating various companies to send legal threats about\r\nalleged copyright infringement. The actor filled out a contact form on multiple targets’ websites, with text containing unique\r\nURLs and included in the URI both the domain of the site that initiated the contact form (the target), and the name of the\r\nimpersonated company (to further the legitimacy of the copyright complaint). If the link was visited, the target was\r\nredirected to a landing page personalized to display both the target’s domain and the name of the impersonated company\r\n(TA578) reporting the copyright infringement. The URL then downloaded a JavaScript file from a Google Firebase URL.\r\nProofpoint has observed the download initiated both from clicking on the “download” button, or downloading the payload\r\nautomatically when the link is first visited.  \r\nIf this JavaScript was executed, it called MSIEXEC to run an MSI from a WebDAV share. The MSI executed the bundled\r\nDLL with the export \"fin\" to run Latrodectus. \r\nFigure 2: Example malicious contact form submission.  \r\nIn recent years, TA578 favored IcedID and Bumblebee but has exclusively used Latrodectus as an initial access payload\r\nsince its return to attributed email campaign data in December 2023. \r\nMalware analysis \r\nLatrodectus resolves Windows API functions dynamically by hash, checks for debuggers present, gathers operating system\r\ninformation, checks running processes, and checks to make sure the computer does not have an existing Latrodectus\r\ninfection running. The malware will then attempt to install itself, set an AutoRun key, and create a scheduled task for\r\npersistence. Latrodectus will post encrypted system information to the command and control server (C2) and request the\r\ndownload of the bot. Once the bot registers with the C2, it sends requests for commands from the C2. \r\nWhen the malware was first reported by Walmart in October 2023, there were direct references to downloading a file called\r\n“bp.dat”, which was confirmed to be the IcedID bot component. The malware itself has had a few small changes since its\r\ndiscovery, but overall, it is quite rudimentary. \r\nUpdated/downgraded? String decryption \r\nA strange change recently observed in Latrodectus samples was a simplified string decryption routine. Generally, when\r\nmalware updates string encryption, it’s to further complicate the algorithm, but in this case the opposite was done. String\r\ndecryption was documented in the original Walmart blog, where the developers used a unique pseudo random number\r\ngenerator (PRNG) algorithm illustrated in Figure 3: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 2 of 20\n\nFigure 3: Original string decrypt PRNG from November 2023. \r\nThis PRNG was called each iteration of the decrypt loop to mutate the seed to decrypt the next byte of the string. In this\r\nlatest version identified on 2 March 2023, the PRNG was replaced by an increment of the seed variable, leading to the\r\nfollowing algorithm, which is now a rolling XOR key, as seen in Figure 4: \r\nFigure 4: The current string decryption routine. \r\nMalware initialization  \r\nThe malware starts by resolving bulk APIs for various functions. After all the functions have been resolved to their global\r\npointers, the malware ensures it is running in a suitable environment by performing virtualization checks. It checks the host\r\nfor the following features, because the lack of these features generally indicates the sample is being run in a sandbox: \r\nIf Windows 10 or newer, have at least 75 running processes \r\nIf earlier than Windows 10, have at least 50 running processes \r\nEnsure the 64-bit application is running on a 64-bit host \r\nEnsure the host has a valid MAC address \r\nThese checks can be seen below: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 3 of 20\n\nFigure 5: Environment checks.  \r\nIn all the samples analyzed since the malware’s discovery, the malware always registers a mutex called “runnung” [sic]. If\r\nthe mutex already exists, it indicates the host has an existing infection, and the malware will exit resulting in the new\r\ninfection ending.  \r\nFigure 6: Mutex check. \r\nWith all the checks passed, the malware continues to initialize the variables for the campaign. This includes the current\r\nuser’s username, a handle to its own file, a handle to the current process, and the campaign ID.  The campaign ID (a string\r\nof letters) is hashed via FNV-1a to create the numeric campaign ID which is included in the communications protocol. In\r\nthis sample, the campaign ID is based on the string “Supted” as seen in Figure 7.  \r\nAnalyst note: Researching the techniques of string hashing of campaign IDs observed in Latrodectus helped researchers\r\nidentify new patterns in previous IcedID campaigns. More on this in the below IcedID section. \r\nFigure 7: Global variable initialization. \r\nLatrodectus generates bot IDs for each unique host the malware is installed on. Like IcedID, the bot ID is generated via the\r\nhosts’ serial ID. This serial is then passed to the bot ID creation function which multiplies the serial by a hardcoded constant,\r\nand returns the result and updates the serial to generate the next DWORD of the bot ID. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 4 of 20\n\nFigure 8: Bot ID generation.  \r\nThis calculated value is then set in a format string to generate a string like:\r\nD0ACE431ABCD00C7D41EF0BA04ED.  \r\nFigure 9: Bot ID to string. \r\nC2 servers are decrypted, and set in the global configuration: \r\nFigure 10: C2 decryption.  \r\nThe malware then attempts to read a hardcoded filename “update_data.dat”, decrypt it, and set C2s from that file into the\r\nglobal list of C2s.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 5 of 20\n\nFigure 11: Checking the existence of update_data.dat and parsing it.  \r\nBefore the malware starts communicating it needs to ensure it’s running from the designated location in %AppData%. This\r\nis a specific path that is derived from the bot ID. If the malware is not running out of this location, it copies itself to the new\r\nlocation, starts the new process and shuts down the current process.   \r\nFigure 12: Code to determine whether the bot is running from its designated location in AppData. \r\nAt this point, the malware is either running from its designated location or is restarting itself in the new location. It creates a\r\nthread, which initiates the communications component of the malware.  \r\nMalware communication \r\nLatrodectus, like IcedID, sends the registration information in a POST request where the fields are HTTP parameters\r\nconcatenated together.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 6 of 20\n\nFigure 13: HTTP parameters being filled in. \r\nAn overview of each field can be seen below: \r\ncounter  The number of HTTP requests made  \r\ntype  1 for registration, 3 for system info \r\nguid  Bot ID discussed earlier \r\nos  Major version of the operating system \r\narch  1 if 64 bit  \r\nusername  ASCII username \r\ngroup  FNV-1a value of the campaign ID string ie: “Supted” \r\nver  Major and minor version (so far just 1.1) \r\nup  An integer stored in the config that is different per sample \r\nOnce this string is created, it is RC4 encrypted with the key “12345”. This key has been consistent across all samples\r\nanalyzed to date. The resulting RC4 encrypted data is base64 encoded and sent to the C2 in the HTTP body.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 7 of 20\n\nFigure 14: Sanitized cleartext request. \r\nIf the bot is coming from an IP that is not blocklisted and passed all other filtering, a response will be returned that, when\r\ndecoded and decrypted with the global key “12345”, leads to a list of commands to be interpreted by the first command\r\nhandler. \r\nFigure 15: Command parsing for the first command handler. \r\nThe following table shows the four supported commands in the first command handler: \r\nCLEARURL  Reset the C2 table, removing all current C2s \r\nURLS  Set the C2 with the given index \r\nCOMMAND  Internal command handler for common bot functionality \r\nERROR  Report an error to the bot \r\nAn example response from the C2 is shown below. When decrypted and decoded gives commands within the above table: \r\nE3l9I35LXiOWKYHilDWuJoUOTU3NOyjNGnp3muFUOrabzvFw6FpoOQqdBZmsUV5E7FzXWHKgBafR6PcPckBsIB2vIhb3CZ/QHPoEO1hc0A++P\r\nThis response when base64 decoded and RC4 decrypted with the global key “12345” will show the following:  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 8 of 20\n\nFigure 16: Decrypted and decoded command response. \r\nThe response is parsed by the major keywords. The URLs keyword replaces the C2s within the sample to the three listed in\r\nthe command. When “COMMAND” is being processed, this triggers a second layer command handler. The handler first\r\nchecks that the token after COMMAND is one of the expected command IDs. These commands support a feature that also\r\nexists within IcedID. These commands check for the existence of “front” in the string, which can be seen in figure 16 to load\r\nthe sysinfo shellcode. This string is replaced with the currently active C2, with the string “/files/” appended. For Example,\r\nthe file “sysinfo.bin” would be downloaded from popfealt[.]one/files/sysinfo.bin. \r\nFigure 17: Command ID checking.  \r\nThe commands Latrodectus supports currently: \r\nEnum name  Enum value  Description \r\ncmd_get_desktop_items  2  Get the filenames of files on the desktop \r\ncmd_get_proclist  3  Get the list of running processes \r\ncmd_get_sysinfo  4  Send additional system information \r\ncmd_exec_exe  12  Execute executable \r\ncmd_exec_dll  13  Execute DLL with given export \r\ncmd_exec_cmd  14  Pass string to cmd and execute \r\ncmd_update  15  Update the bot and trigger a restart \r\ncmd_kill  17  Shutdown the running process \r\ncmd_run_icedid  18  Download bp.dat and execute \r\ncmd_change_timing  19  Set a flag to reset the communications timing \r\ncmd_reset_counter  20  Reset the counter variable used in communications \r\nAlthough the malware supports “cmd_run_icedid” to download and execute “bp.dat”, Proofpoint has not observed\r\nLatrodectus dropping IcedID as a follow-on payload.  \r\nUltimately, Latrodectus is a generic loader that appears to be in active development, but so far there have not been\r\ngroundbreaking changes to its capabilities.  \r\nLatrodectus infrastructure \r\nTier 1 analysis \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 9 of 20\n\nTeam Cymru’s research into Latrodectus infrastructure began in late 2023 with the identification of four Tier 1 Command\r\nand Control (C2) servers in the initial October 2023 campaign. At the time, analysis of network telemetry (NetFlow) data for\r\nthese C2s highlighted no discernible upstream communication with a possible Tier 2 (T2) proxy server. However, the IPs\r\nshared several common characteristics, which were leveraged to find other C2s and subsequently identify upstream T2\r\ncommunication, as described below.  \r\nQueries for the combined characteristics detailed below resulted in less than one hundred IPs being returned, a positive sign\r\nthat the results were broadly related, as the existence of hundreds of C2s would be unlikely at this point. \r\nFingerprint Hash = 2ad2ad16d2ad2ad22c2ad2ad2ad2ad89cd2abd9b188d3b42762a4c6aa7ff72 \r\nOpen Ports= 8080, 443 \r\nOpen Ports Banner Hash = eb51f3b6b62c69672dbeced9ce2252675db44222,\r\n9b5ee969ca96ba0d4547a6041c5a86bf80fd4c96 \r\nOpen Ports Banner = 403 Forbidden, localhost \r\nFiltering out false positives, mostly belonging to Amazon and Russian provider IP space, the remaining IPs were assigned to\r\nhosting providers often utilized for C2 infrastructure by IcedID and other dropper malware. This list includes familiar AS\r\nnames such as BLNWX, BV-EU-AS, LITESERVER, MIRHOSTING, XHOST, ZAPPIE-HOST, and ZERGRUSH. \r\nIndications of a potential T2 server were found in NetFlow data for these potential C2s, with numerous C2s initiating\r\ncommunication with this IP on remote TCP/80. Further investigation of this IP led to the identification of additional C2s\r\nbased on matching traffic patterns. Although Latrodectus uses domains concealed behind Cloudflare in its malware\r\nconfigurations, Team Cymru confirmed that many of the C2s found communicating with the T2 were the true IPs behind\r\nthese domains. \r\nC2 lifespan \r\nThe chart below illustrates the lifespan of Latrodectus C2s, helping to highlight patterns in C2 activity including gaps,\r\nturnover rates, and concurrent live C2s. The timeline starts 18 September 2023, incrementing bi-weekly through March\r\n2024. Vertical lines mark each Sunday, while red bars represent individual C2s, ordered by first appearance. A bar's length\r\nreflects its lifespan, from the start to the end of communication with the T2. \r\nBy focusing on T2 communications, rather than victim communications or when a C2 first appeared in the wild, it is\r\npossible to provide a more accurate representation of lifespan based on utilization by the threat actor(s). \r\nFigure 18: Latrodectus C2 timeline from September 2023 through Mach 2024. \r\nSince tracking began, Team Cymru has observed an ongoing cycle of C2 activity, starting with the first C2 to T2 connection\r\nin September. This continued even during the January 2024 “quiet phase” when no campaigns were publicly identified. With\r\nmalspam campaigns resuming in early February 2024, the activities in January 2024 may represent testing phases, targeted\r\nattacks, or the use alternative distribution methods beyond malspam. \r\nThe chart indicates multiple patterns; the October to December 2023 campaigns coincided with C2s having longer lifespans,\r\nwhile the few C2s in September 2023 are likely linked to testing prior to the initial campaigns being observed in the wild.\r\nAfter a decline in December, the creation of new C2s resumed in January 2024, leading to more frequent but often shorter-lived C2s since then. \r\nPivoting to raw data, analysis from 1 January to 18 March 2024 shows a C2 setup rate of one every 1.18 days, double the\r\nprevious rate from 21 September to 31 December 2023 of one every 2.32 days. The average lifespan of C2s during the\r\nJanuary to March 2024 period dropped to nine days, compared to an average of fifteen days for September to December\r\n2023. One explanation for these changes could be that the threat actors are intensifying Latrodectus operations, having spent\r\nthe late 2023 period testing the waters.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 10 of 20\n\nAs previously referenced, each vertical line on the chart above (Figure 18) represents a Sunday / beginning of a new week,\r\noffering a high-level view of when new infrastructure is typically established. Initial analysis did not identify a preferred day\r\non which C2s were set up, although a decrease in activity was noted to occur on weekends. \r\nFigure 19: Analysis of preferred day of C2 creation. \r\nFurther analysis of the raw data indicated, however, that new C2s initiate communication with the T2 primarily on Fridays,\r\nperhaps to prepare infrastructure for the upcoming working week on Monday. Setup rates on Tuesday, Wednesday, and\r\nThursday are comparably high, while Monday rates are lower.  As mentioned above, activity drops over the weekend,\r\nsuggesting the threat actors generally take this time off (as is often seen in analysis of cybercrime threat actors). \r\nTier 2 analysis \r\nBased on historic network telemetry data, the T2 server was set up around August 2023. It has an X.509 certificate subject\r\nvalue that was also associated with BazarLoader C2s in 2021.  \r\nSince the initial setup of the Latrodectus infrastructure, only a few other IPs were found sharing this X.509 certificate. We\r\nsuspect one such IP hosts a development server that first appeared active in July 2023, a month prior to the T2, while the\r\nroles of the others remain unclear. Nonetheless, Team Cymru is confident in their association with Latrodectus. \r\nBeyond the development server, researchers identified other notable components within the Latrodectus infrastructure. Team\r\nCymru has pinpointed hosts that exhibit patterns indicative of operator activity based on their consistent interactions across\r\nthe infrastructure, including with the development server, and their assessed usage of services and tools known to be\r\napplicable to cybercrime-related activities. \r\nAdditional hosts were found within the infrastructure, but their specific roles remain undefined. However, based on traffic\r\npatterns and other traits that resemble that of other confirmed infrastructure, researchers can assume that they are interesting\r\nand should be monitored.  \r\nAny unknowns in the infrastructure continue to be a focus of Team Cymru’s investigations and researchers will provide\r\nupdates when further information becomes known, as appropriate. \r\nConnection to IcedID \r\nFrom an infrastructure analysis perspective, Team Cymru determined that the same threat actors responsible for IcedID are\r\nalso involved in the operation of Latrodectus. This conclusion is drawn from a few key observations. For one, the C2 hosting\r\nchoices between the two operations are similar, as mentioned above, although this alone is not a strong association. \r\nMore conclusively, the Latrodectus T2 maintains connections with backend infrastructure associated with IcedID, and\r\noperator activity within Latrodectus infrastructure includes the utilization of specific jumpboxes known to be used in IcedID\r\noperations. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 11 of 20\n\nFigure 20: Latrodectus infrastructure related to IcedID infrastructure. \r\nThe use of these hosts by operators for both IcedID and Latrodectus activities has been consistent since the initial setup of\r\nthe Latrodectus management infrastructure in July/August 2023. \r\nStandard IcedID update: a mystery decrypted \r\nWhile investigating the techniques used in string hashing related to Latrodectus campaign IDs, Proofpoint researchers\r\napplied similar techniques to brute-force previously observed IcedID campaign IDs to derive a meaningful string.\r\nResearchers identified patterns in the brute-forced IcedID campaign IDs and correlated them to specific threat actor\r\ncampaigns over time. The correlation suggests that in most cases, the derived IcedID campaign IDs associated with each\r\nthreat actor follow specific themes, such as cars or geographic regions.  \r\nIcedID is a malware originally classified as a banking trojan and was first observed in 2017. It also acts as a loader for other\r\nmalware, including ransomware.  As previously published, historically there has been just one version of IcedID that has\r\nremained constant since 2017. This well-known IcedID version, now commonly known as \"Standard IcedID\" to differentiate\r\nit from newer variants, consists of two main components: \r\nIcedID loader: The loader is distributed initially, used to contact a Loader C2 server and attempt to download the\r\nsecond component, the core IcedID Bot. \r\nIcedID bot: The core module containing most of the malware functionality. \r\nMost malware contains a configuration which is often used to input details specific to a threat actor. These details will\r\ndifferentiate affiliates in the malware panel and determine what malware infections the group can see and further leverage. It\r\nis common across most malware families for a form of project or campaign ID to distinguish the user affiliated with the\r\nmalware infection.  \r\nThe IcedID loader and bot have different campaign IDs and C2s. Historically, both the campaign ID and the C2 found in the\r\nIcedID loader configuration was typically distinct for each campaign and could be used to cluster related activity and aid in\r\nthreat actor attribution. In 2022, a change occurred in campaign activity which made the loader's configuration unreliable for\r\ndelineating between campaigns and threat actors. Despite the change to the loader, the IcedID bot configuration remained\r\nconsistent and generally unique to a threat actor. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 12 of 20\n\nFigure 21: Example IcedID Configuration in a September 2023 TA577 campaign. \r\nIn late 2023, Proofpoint researchers used the FNV-1a hashing algorithm to brute-force IcedID bot campaign IDs, which\r\nallowed insight and correlation to campaigns and aid in confident attribution of previously suspected threat actor activity.\r\nThe numbers used as campaign IDs resolved to words and brands that were used by specific IcedID affiliates. This was the\r\nfirst time researchers had observed successful derivation of the campaign IDs, and the strings resolved were notable. Many\r\naffiliates associated with a threat actor appear to have a “theme” for their campaign IDs. For example, TA578 campaign IDs\r\ngenerally used an automobile theme like “Pontiac” or “Hyundai”. TA544 campaign IDs contained Italian references. TA579\r\ncampaign IDs supported a previously suspected relationship distributing for another threat actor. TA551 campaign IDs often\r\nreferenced the NATO phonetic alphabet, though there were anomalies and not enough data to assert with confidence. TA581\r\ncampaign IDs had no unique patterns which supports the suspicion that the actor is solely a distributor or overlaps with\r\nanother threat group. The patterns that emerged correlating specific threat actors to certain themes proved consistent over\r\nyears. \r\nBy identifying campaign ID patterns that proved consistent for each threat actor over years of IcedID campaign activity, in\r\naddition to other campaign indicators, researchers were able to attribute activity with high confidence to tracked threat\r\nactors, despite the change in loader configuration in 2022. It also provided valuable insight into how botnet operators\r\nmonitor affiliates, and further illustrated that seemingly random identifiers often provide important data that can assist in\r\nattribution, potentially including future Latrodectus campaigns.  \r\nThe data represented in this update was collected between 2022 and 2023. The patterns and hypothesis formed are limited to\r\nthe malware configuration data collected from aproximately 100 campaigns originating from email during this scope of time\r\nand the subset of campaign IDs successfully decrypted. While Proofpoint is planning to publish a more thorough analysis of\r\nthe patterns and campaign IDs in relation to tracked threat actors, below is a table of select project IDs initially brute forced: \r\nDecoded Project ID  Original Project ID \r\nAscari  3524611504 \r\nAtilda  2585978814 \r\nAustin  3919082043 \r\nBuick  2056920153 \r\nCaprese  3036889562 \r\nChery  1057461280 \r\nChevrolet  904247735 \r\nDelta  1023147713 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 13 of 20\n\nDevlin  3393436303 \r\nEcho  998075300 \r\nFullmoon  3415411565 \r\nHyundai  2262657793 \r\nIndia  2646410796 \r\nItaldesign  3681413287 \r\nJuliet  2941939166 \r\nJupiter  921805286 \r\nKappa  2143020712 \r\nKilo  686741504 \r\nLincoln  1573268852 \r\nMars  1180344712 \r\nMike  4049493703 \r\nPontiac  1501064257 \r\nPorsche  310022019 \r\nConclusion \r\nProofpoint anticipates Latrodectus will become increasingly used by threat actors across the landscape, especially by those\r\nwho previously delivered IcedID. Given its use by threat actors assessed to be initial access brokers, defenders are\r\nencouraged to understand the tactics, techniques, and procedures (TTPs) exhibited by the malware and associated\r\ncampaigns.  \r\nLatrodectus’ attempts to incorporate sandbox evasion functionality aligns with the trend overall in the cybercrime threat\r\nlandscape that malware authors are increasingly trying to bypass defenders and ensure only potential victims receive the\r\npayload. Proofpoint has observed similar attempts from other notable malware used by IABs including Pikabot and\r\nWikiLoader.  \r\nEmerging Threats signatures \r\n2051602 ET MALWARE Latrodectus Related Activity (POST) \r\n2051601 ET MALWARE Observed Latrodectus Domain (popfealt .one in TLS SNI) \r\n2051600 ET MALWARE Observed Latrodectus Domain (aytobusesre .com in TLS SNI) \r\n2051599 ET MALWARE DNS Query to Latrodectus Domain (popfealt .one) \r\n2051598 ET MALWARE DNS Query to Latrodectus Domain (aytobusesre .com) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 14 of 20\n\n2049706 ET MALWARE Latrodectus Alive Response M8 \r\n2049705 ET MALWARE Latrodectus Alive Response M7 \r\n2049704 ET MALWARE Latrodectus Alive Response M6 \r\n2049703 ET MALWARE Latrodectus Alive Response M5 \r\n2049702 ET MALWARE Latrodectus Alive Response M4 \r\n2049701 ET MALWARE Latrodectus Alive Response M3 \r\n2049700 ET MALWARE Latrodectus Alive Response M2 \r\n2049233 ET MALWARE Latrodectus 404 Response \r\n2049232 ET MALWARE Latrodectus Alive Response M1 \r\n2049231 ET MALWARE Latrodectus Alive Request (GET) \r\n2048735 ET MALWARE Latrodectus Loader Related Activity (POST) \r\nIndicators of compromise \r\nIndicator  Description  \r\nFirst\r\nObserved \r\ndb03a34684feab7475862080f59d4d99b32c74d3a152a53b257fd1a443e8ee77 \r\nLNK Payload\r\nSHA256 \r\n27 November\r\n2023 \r\ne99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7 \r\nDLL Payload\r\nSHA256 \r\n27 November\r\n2023 \r\nhxxps://mazdakrichest[.]com/live/  Latrodectus C2 \r\n27 November\r\n2023 \r\nhxxps://riverhasus[.]com/live/  Latrodectus C2 \r\n27 November\r\n2023 \r\nbb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241 \r\nJavaScript Payload\r\nSHA256 \r\n28 November\r\n2023 \r\n97e093f2e0bf6dec8392618722dd6b4411088fe752bedece910d11fffe0288a2 \r\nDLL Payload\r\nSHA256 \r\n28 November\r\n2023 \r\nhxxp://162[.]55[.]217[.]30/gRMS/0[.]6395541546258323[.]dat \r\nJavaScript Payload\r\nURL \r\n28 November\r\n2023 \r\nhxxp://157[.]90[.]166[.]88/O3ZlYNW/0[.]7797109211833805[.]dat \r\nJavaScript Payload\r\nURL \r\n28 November\r\n2023 \r\nhxxp://128[.]140[.]36[.]37/cQtDIo/0[.]43650426987684443[.]dat \r\nJavaScript Payload\r\nURL \r\n28 November\r\n2023 \r\nhxxps://peermangoz[.]me/live/  Latrodectus C2 \r\n28 November\r\n2023 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 15 of 20\n\nhxxps://aprettopizza[.]world/live/  Latrodectus C2 \r\n28 November\r\n2023 \r\nhxxps://nimeklroboti[.]info/live/  Latrodectus C2 \r\n28 November\r\n2023 \r\nhxxps://frotneels[.]shop/live/  Latrodectus C2 \r\n28 November\r\n2023 \r\nf9c69e79e7799df31d6516df70148d7832b121d330beebe52cff6606f0724c62 \r\nJavaScript Payload\r\nSHA256 \r\n24 November\r\n2023 \r\nd9471b038c44619739176381815bfa9a13b5ff77021007a4ede9b146ed2e04ec \r\nDLL Payload\r\nSHA256 \r\n24 November\r\n2023 \r\nhxxps://hukosafaris[.]com/elearning/f/q/daas-area/chief/index[.]php \r\nJavaScript Payload\r\nURL \r\n24 November\r\n2023 \r\nd98cd810d568f338f16c4637e8a9cb01ff69ee1967f4cfc004de3f283d61ba81 \r\nDLL Payload\r\nSHA256 \r\n14 December\r\n2023 \r\n47d66c576393a4256d94f5ed1e77adc28426dea027f7a23e2dbf41b93b87bd78 \r\nEXE Payload\r\nSHA256 \r\n14 December\r\n2023 \r\n77[.]91[.]73[.]187:443 \r\nDanaBot C2 IP\r\nAddress \r\n14 December\r\n2023 \r\n74[.]119[.]193[.]200:443 \r\nDanaBot C2 IP\r\nAddress \r\n14 December\r\n2023 \r\nhxxps://arsimonopa[.]com/live  Latrodectus C2 \r\n14 December\r\n2023 \r\nhxxps://lemonimonakio[.]com/live  Latrodectus C2 \r\n14 December\r\n2023 \r\nbb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241 \r\nJavaScript Payload\r\nSHA256 \r\n1 February\r\n2024 \r\n5d881d14d2336273e531b1b3d6f2d907539fe8489cbe80533280c9c72efa2273 \r\nDLL Payload\r\nSHA256 \r\n1 February\r\n2024 \r\nhxxp://superior-coin[.]com/ga/index[.]php \r\nJavaScript Payload\r\nURL \r\n1 February\r\n2024 \r\nhxxp://superior-coin[.]com/ga/m/6[.]dll \r\nJavaScript Payload\r\nURL \r\n1 February\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 16 of 20\n\nhxxps://fluraresto[.]me/live/  Latrodectus C2 \r\n1 February\r\n2024 \r\nhxxps://mastralakkot[.]live/live/  Latrodectus C2 \r\n1 February\r\n2024 \r\nhxxps://postolwepok[.]tech/live/ \r\nLatrodectus Update\r\nURLs \r\n1 February\r\n2024 \r\nhxxps://trasenanoyr[.]best/live/ \r\nLatrodectus Update\r\nURLs \r\n1 February\r\n2024 \r\n10c129e2310342a55df5fa88331f338452835790a379d5230ee8de7d5f28ea1a \r\nJavaScript Payload\r\nSHA256 \r\n5 February\r\n2024 \r\n781c63cf4981fa6aff002188307b278fac9785ca66f0b6dfcf68adbe7512e491  MSI Payload\r\nSHA256 \r\n5 February\r\n2024 \r\naa29a8af8d615b1dd9f52fd49d42563fbeafa35ff0ab1b4afc4cb2b2fa54a119 \r\nDLL Payload\r\nSHA256 \r\n5 February\r\n2024 \r\n0ac5030e2171914f43e0769cb10b602683ccc9da09369bcd4b80da6edb8be80e \r\nJavaScript Payload\r\nSHA256 \r\n9 February\r\n2024 \r\n0e96cf6166b7cc279f99d6977ab0f45e9f47e827b8a24d6665ac4c29e18b5ce0  MSI Payload\r\nSHA256 \r\n9 February\r\n2024 \r\n77270e13d01b2318a3f27a9a477b8386f1a0ebc6d44a2c7e185cfbe55aac8017 \r\nDLL Payload\r\nSHA256 \r\n9 February\r\n2024 \r\nhxxps://miistoria[.]com/live  Latrodectus C2 \r\n9 February\r\n2024 \r\nhxxps://plwskoret[.]top/live  Latrodectus C2 \r\n9 February\r\n2024 \r\ne7ff6a7ac5bfb0bb29547d413591abc7628c7d5576a3b43f6d8e5d95769e553a \r\nJavaScript Payload\r\nSHA256 \r\n13 February\r\n2024 \r\ndedbc21afc768d749405de535f9b415baaf96f7664ded55d54829a425fc61d7e  MSI Payload\r\nSHA256 \r\n13 February\r\n2024 \r\n378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05 \r\nDLL Payload\r\nSHA256 \r\n13 February\r\n2024 \r\nedeacd49aff3cfea35d593e455f7caca35ac877ad6dc19054458d41021e0e13a \r\nJavaScript Payload\r\nSHA256 \r\n20 February\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 17 of 20\n\n9c27405cf926d36ed8e247c17e6743ac00912789efe0c530914d7495de1e21ec  MSI Payload\r\nSHA256 \r\n20 February\r\n2024 \r\n9a8847168fa869331faf08db71690f24e567c5cdf1f01cc5e2a8d08c93d282c9 \r\nDLL Payload\r\nSHA256 \r\n20 February\r\n2024 \r\nhxxp://178[.]23[.]190[.]199:80/share/gsm[.]msi \r\nJavaScript WebDAV\r\nPayload URL \r\n20 February\r\n2024 \r\nhxxps://sluitionsbad[.]tech/live/  Latrodectus C2 \r\n20 February\r\n2024 \r\nhxxps://grebiunti[.]top/live/  Latrodectus C2 \r\n20 February\r\n2024 \r\n856dfa74e0f3b5b7d6f79491a94560dbf3eacacc4a8d8a3238696fa38a4883ea \r\nJavaScript Payload\r\nSHA256 \r\n23 February\r\n2024 \r\n88573297f17589963706d9da6ced7893eacbdc7d6bc43780e4c509b88ccd2aef  MSI Payload\r\nSHA256 \r\n23 February\r\n2024 \r\n97e08d1c7970c1c12284c4644e2321ce41e40cdaac941e451db4d334cb9c5492 \r\nDLL Payload\r\nSHA256 \r\n23 February\r\n2024 \r\nhxxp://5[.]252[.]21[.]207@80/share/escape[.]msi \r\nJavaScript WebDAV\r\nPayload URL \r\n23 February\r\n2024 \r\nhxxps://zumkoshapsret[.]com/live/  Latrodectus C2 \r\n23 February\r\n2024 \r\nhxxps://jertacco[.]com/live/  Latrodectus C2 \r\n23 February\r\n2024 \r\n60c4b6c230a40c80381ce283f64603cac08d3a69ceea91e257c17282f66ceddc \r\nJavaScript Payload\r\nSHA256 \r\n27 February\r\n2024 \r\n88573297f17589963706d9da6ced7893eacbdc7d6bc43780e4c509b88ccd2aef  MSI Payload\r\nSHA256 \r\n27 February\r\n2024 \r\n97e08d1c7970c1c12284c4644e2321ce41e40cdaac941e451db4d334cb9c5492 \r\nDLL Payload\r\nSHA256 \r\n27 February\r\n2024 \r\nhxxp://5[.]252[.]21[.]207/share/escape[.]msi \r\nJavaScript WebDAV\r\nPayload URL \r\n27 February\r\n2024 \r\na189963ff252f547fddfc394c81f6e9d49eac403c32154eebe06f4cddb5a2a22 \r\nJavaScript Payload\r\nSHA256 \r\n4 March\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 18 of 20\n\naee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c \r\nDLL Payload\r\nSHA256 \r\n4 March\r\n2024 \r\nhxxp://95[.]164[.]3[.]171/share/cisa[.]msi \r\nWebDAV Payload\r\nURL \r\n4 March\r\n2024 \r\nhxxps://scifimond[.]com/live/  Latrodectus C2 \r\n4 March\r\n2024 \r\nhxxps://aytobusesre[.]com/live/  Latrodectus C2 \r\n4 March\r\n2024 \r\n4416b8c36cb9d7cc261ff6612e105463eb2ccd4681930ca8e277a6387cb98794 \r\nJavaScript Payload\r\nSHA256 \r\n7 March\r\n2024 \r\naee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c \r\nDLL Payload\r\nSHA256 \r\n7 March\r\n2024 \r\nhxxps://popfealt[.]one/live/ \r\nLatrodectus Update\r\nURLs \r\n7 March\r\n2024 \r\nhxxps://ginzbargatey[.]tech/live/ \r\nLatrodectus Update\r\nURLs \r\n7 March\r\n2024 \r\nhxxps://minndarespo[.]icu/live/ \r\nLatrodectus Update\r\nURLs \r\n7 March\r\n2024 \r\n090f2c5abb85a7b115dc25ae070153e4e958ae4e1bc2310226c05cd3e9429446 \r\nJavaScript Payload\r\nSHA256 \r\n11 March\r\n2024 \r\nee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f  MSI Payload\r\nSHA256 \r\n11 March\r\n2024 \r\n3b63ea8b6f9b2aa847faa11f6cd3eb281abd9b9cceedb570713c4d78a47de567 \r\nDLL Payload\r\nSHA256 \r\n11 March\r\n2024 \r\nhxxps://drifajizo[.]fun/live/  Latrodectus C2 \r\n11 March\r\n2024 \r\nhxxps://scifimond[.]com/live/  Latrodectus C2 \r\n11 March\r\n2024 \r\nhxxps://minndarespo[.]icu/live/  Latrodectus C2 \r\n11 March\r\n2024 \r\n6904d382bc045eb9a4899a403a8ba8a417d9ccb764f6e0b462bc0232d3b7e7ea \r\nJavaScript Payload\r\nSHA256 \r\n18 March\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 19 of 20\n\n71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9 \r\nDLL Payload\r\nSHA256 \r\n18 March\r\n2024 \r\nhxxp://sokingscrosshotel[.]com/share/upd[.]msi \r\nWebDAV Payload\r\nURL \r\n18 March\r\n2024 \r\nhxxps://titnovacrion[.]top/live/  Latrodectus C2 \r\n18 March\r\n2024 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nPage 20 of 20\n\nup Once this string is An integer stored in created, it is RC4 encrypted the config that is different with the key “12345”. per sample This key has been consistent across all samples\nanalyzed to date. The resulting RC4 encrypted data is base64 encoded and sent to the C2 in the HTTP body.\n Page 7 of 20 \n\nAn example response E3l9I35LXiOWKYHilDWuJoUOTU3NOyjNGnp3muFUOrabzvFw6FpoOQqdBZmsUV5E7FzXWHKgBafR6PcPckBsIB2vIhb3CZ/QHPoEO1hc0A++P from the C2 is shown below. When decrypted and decoded gives commands within the above table:\nThis response when base64 decoded and RC4 decrypted with the global key “12345” will show the following:\n Page 8 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "report_names": [ "latrodectus-spider-bytes-ice" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f87ac52-682a-4bc7-b7ce-fac8d79815fa", "created_at": "2023-01-06T13:46:39.373008Z", "updated_at": "2026-04-10T02:00:03.305899Z", "deleted_at": null, "main_name": "TA579", "aliases": [], "source_name": "MISPGALAXY:TA579", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434475, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/41d1c52df55145a4839e54b74c0e0ff17917d539.pdf", "text": "https://archive.orkl.eu/41d1c52df55145a4839e54b74c0e0ff17917d539.txt", "img": "https://archive.orkl.eu/41d1c52df55145a4839e54b74c0e0ff17917d539.jpg" } }