Latrodectus Malware Analysis: IcedID 2.0 | Proofpoint US
By Proofpoint Threat Research and Team Cymru S2 Threat Research
Published: 2024-03-29 · Archived: 2026-04-05 13:29:52 UTC
Proofpoint’s Threat Research team joined up with the Team Cymru S2 Threat Research team, in a collaborative effort to
provide the information security community with a comprehensive view of the threat activity described.
Key takeaways 
Proofpoint first observed new malware named Latrodectus appear in email threat campaigns in late November 2023. 
While use of Latrodectus decreased in December 2023 through January 2024, Latrodectus use increased in
campaigns throughout February and March 2024.  
It was first observed in Proofpoint data being distributed by threat actor TA577 but has been used by at least one
other threat actor, TA578. 
Latrodectus is an up-and-coming downloader with various sandbox evasion functionality.  
While similar to IcedID, Proofpoint researchers can confirm it is an entirely new malware, likely created by the
IcedID developers.  
Latrodectus shares infrastructure overlap with historic IcedID operations. 
While investigating Latrodectus, researchers identified new, unique patterns in campaign IDs designating threat actor
use in previous IcedID campaigns. 
Overview 
Proofpoint identified a new loader called Latrodectus in November 2023. Researchers have identified nearly a dozen
campaigns delivering Latrodectus, beginning in February 2024. The malware is used by actors assessed to be initial access
brokers (IABs).  
Latrodectus is a downloader with the objective of downloading payloads and executing arbitrary commands. While initial
analysis suggested Latrodectus was a new variant of IcedID, subsequent analysis confirmed it was a new malware most
likely named Latrodectus, based on a string identified in the code. Based on characteristics in the disassembled sample and
functionality of the malware, researchers assess the malware was likely written by the same developers as IcedID. 
This malware was first observed being distributed by TA577, an IAB known as a prolific Qbot distributor prior to the
malware’s disruption in 2023. TA577 used Latrodectus in at least three campaigns in November 2023 before reverting to
Pikabot. Since mid-January 2024, researchers observed it being used almost exclusively by TA578 in email threat
campaigns.  
Campaign details 
TA577 
TA577 was only observed using Latrodectus in three campaigns, all occurring in November 2023. Notably, a campaign that
occurred on 24 November 2023 deviated from previously observed TA577 campaigns. The actor did not use thread
hijacking, but instead used a variety of different subjects with URLs in the email body. The URLs led to the download of a
JavaScript file. If executed, the JavaScript created and ran several BAT files that leveraged curl to execute a DLL and ran it
with the export “scab”.  
Figure 1: Example TA577 campaign delivering Latrodectus. 
On 28 November 2023, Proofpoint observed the last TA577 Latrodectus campaign. The campaign began with thread
hijacked messages that contained URLs leading to either zipped JavaScript files or zipped ISO files. The zipped JavaScript
file used curl to download and execute Latrodectus. The zipped ISO file contained a LNK file used to execute the embedded
DLL, Latrodectus. Both attack chains started the malware with the export “nail”. 
TA578 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 1 of 20

Since mid-January 2024, Latrodectus has been almost exclusively distributed by TA578. This actor typically uses contact
forms to initiate a conversation with a target. In one campaign observed on 15 December 2023, Proofpoint observed TA578
deliver the Latrodectus downloader via a DanaBot infection. This December campaign was the first observed use of TA578
distributing Latrodectus. 
On 20 February 2024, Proofpoint researchers observed TA578 impersonating various companies to send legal threats about
alleged copyright infringement. The actor filled out a contact form on multiple targets’ websites, with text containing unique
URLs and included in the URI both the domain of the site that initiated the contact form (the target), and the name of the
impersonated company (to further the legitimacy of the copyright complaint). If the link was visited, the target was
redirected to a landing page personalized to display both the target’s domain and the name of the impersonated company
(TA578) reporting the copyright infringement. The URL then downloaded a JavaScript file from a Google Firebase URL.
Proofpoint has observed the download initiated both from clicking on the “download” button, or downloading the payload
automatically when the link is first visited.  
If this JavaScript was executed, it called MSIEXEC to run an MSI from a WebDAV share. The MSI executed the bundled
DLL with the export "fin" to run Latrodectus. 
Figure 2: Example malicious contact form submission.  
In recent years, TA578 favored IcedID and Bumblebee but has exclusively used Latrodectus as an initial access payload
since its return to attributed email campaign data in December 2023. 
Malware analysis 
Latrodectus resolves Windows API functions dynamically by hash, checks for debuggers present, gathers operating system
information, checks running processes, and checks to make sure the computer does not have an existing Latrodectus
infection running. The malware will then attempt to install itself, set an AutoRun key, and create a scheduled task for
persistence. Latrodectus will post encrypted system information to the command and control server (C2) and request the
download of the bot. Once the bot registers with the C2, it sends requests for commands from the C2. 
When the malware was first reported by Walmart in October 2023, there were direct references to downloading a file called
“bp.dat”, which was confirmed to be the IcedID bot component. The malware itself has had a few small changes since its
discovery, but overall, it is quite rudimentary. 
Updated/downgraded? String decryption 
A strange change recently observed in Latrodectus samples was a simplified string decryption routine. Generally, when
malware updates string encryption, it’s to further complicate the algorithm, but in this case the opposite was done. String
decryption was documented in the original Walmart blog, where the developers used a unique pseudo random number
generator (PRNG) algorithm illustrated in Figure 3: 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 2 of 20

Figure 3: Original string decrypt PRNG from November 2023. 
This PRNG was called each iteration of the decrypt loop to mutate the seed to decrypt the next byte of the string. In this
latest version identified on 2 March 2023, the PRNG was replaced by an increment of the seed variable, leading to the
following algorithm, which is now a rolling XOR key, as seen in Figure 4: 
Figure 4: The current string decryption routine. 
Malware initialization  
The malware starts by resolving bulk APIs for various functions. After all the functions have been resolved to their global
pointers, the malware ensures it is running in a suitable environment by performing virtualization checks. It checks the host
for the following features, because the lack of these features generally indicates the sample is being run in a sandbox: 
If Windows 10 or newer, have at least 75 running processes 
If earlier than Windows 10, have at least 50 running processes 
Ensure the 64-bit application is running on a 64-bit host 
Ensure the host has a valid MAC address 
These checks can be seen below: 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 3 of 20

Figure 5: Environment checks.  
In all the samples analyzed since the malware’s discovery, the malware always registers a mutex called “runnung” [sic]. If
the mutex already exists, it indicates the host has an existing infection, and the malware will exit resulting in the new
infection ending.  
Figure 6: Mutex check. 
With all the checks passed, the malware continues to initialize the variables for the campaign. This includes the current
user’s username, a handle to its own file, a handle to the current process, and the campaign ID.  The campaign ID (a string
of letters) is hashed via FNV-1a to create the numeric campaign ID which is included in the communications protocol. In
this sample, the campaign ID is based on the string “Supted” as seen in Figure 7.  
Analyst note: Researching the techniques of string hashing of campaign IDs observed in Latrodectus helped researchers
identify new patterns in previous IcedID campaigns. More on this in the below IcedID section. 
Figure 7: Global variable initialization. 
Latrodectus generates bot IDs for each unique host the malware is installed on. Like IcedID, the bot ID is generated via the
hosts’ serial ID. This serial is then passed to the bot ID creation function which multiplies the serial by a hardcoded constant,
and returns the result and updates the serial to generate the next DWORD of the bot ID. 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 4 of 20

Figure 8: Bot ID generation.  
This calculated value is then set in a format string to generate a string like:
D0ACE431ABCD00C7D41EF0BA04ED.  
Figure 9: Bot ID to string. 
C2 servers are decrypted, and set in the global configuration: 
Figure 10: C2 decryption.  
The malware then attempts to read a hardcoded filename “update_data.dat”, decrypt it, and set C2s from that file into the
global list of C2s.  
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 5 of 20

Figure 11: Checking the existence of update_data.dat and parsing it.  
Before the malware starts communicating it needs to ensure it’s running from the designated location in %AppData%. This
is a specific path that is derived from the bot ID. If the malware is not running out of this location, it copies itself to the new
location, starts the new process and shuts down the current process.   
Figure 12: Code to determine whether the bot is running from its designated location in AppData. 
At this point, the malware is either running from its designated location or is restarting itself in the new location. It creates a
thread, which initiates the communications component of the malware.  
Malware communication 
Latrodectus, like IcedID, sends the registration information in a POST request where the fields are HTTP parameters
concatenated together.  
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 6 of 20

Figure 13: HTTP parameters being filled in. 
An overview of each field can be seen below: 
counter  The number of HTTP requests made  
type  1 for registration, 3 for system info 
guid  Bot ID discussed earlier 
os  Major version of the operating system 
arch  1 if 64 bit  
username  ASCII username 
group  FNV-1a value of the campaign ID string ie: “Supted” 
ver  Major and minor version (so far just 1.1) 
up  An integer stored in the config that is different per sample 
Once this string is created, it is RC4 encrypted with the key “12345”. This key has been consistent across all samples
analyzed to date. The resulting RC4 encrypted data is base64 encoded and sent to the C2 in the HTTP body.  
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 7 of 20

Figure 14: Sanitized cleartext request. 
If the bot is coming from an IP that is not blocklisted and passed all other filtering, a response will be returned that, when
decoded and decrypted with the global key “12345”, leads to a list of commands to be interpreted by the first command
handler. 
Figure 15: Command parsing for the first command handler. 
The following table shows the four supported commands in the first command handler: 
CLEARURL  Reset the C2 table, removing all current C2s 
URLS  Set the C2 with the given index 
COMMAND  Internal command handler for common bot functionality 
ERROR  Report an error to the bot 
An example response from the C2 is shown below. When decrypted and decoded gives commands within the above table: 
E3l9I35LXiOWKYHilDWuJoUOTU3NOyjNGnp3muFUOrabzvFw6FpoOQqdBZmsUV5E7FzXWHKgBafR6PcPckBsIB2vIhb3CZ/QHPoEO1hc0A++P
This response when base64 decoded and RC4 decrypted with the global key “12345” will show the following:  
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 8 of 20

Figure 16: Decrypted and decoded command response. 
The response is parsed by the major keywords. The URLs keyword replaces the C2s within the sample to the three listed in
the command. When “COMMAND” is being processed, this triggers a second layer command handler. The handler first
checks that the token after COMMAND is one of the expected command IDs. These commands support a feature that also
exists within IcedID. These commands check for the existence of “front” in the string, which can be seen in figure 16 to load
the sysinfo shellcode. This string is replaced with the currently active C2, with the string “/files/” appended. For Example,
the file “sysinfo.bin” would be downloaded from popfealt[.]one/files/sysinfo.bin. 
Figure 17: Command ID checking.  
The commands Latrodectus supports currently: 
Enum name  Enum value  Description 
cmd_get_desktop_items  2  Get the filenames of files on the desktop 
cmd_get_proclist  3  Get the list of running processes 
cmd_get_sysinfo  4  Send additional system information 
cmd_exec_exe  12  Execute executable 
cmd_exec_dll  13  Execute DLL with given export 
cmd_exec_cmd  14  Pass string to cmd and execute 
cmd_update  15  Update the bot and trigger a restart 
cmd_kill  17  Shutdown the running process 
cmd_run_icedid  18  Download bp.dat and execute 
cmd_change_timing  19  Set a flag to reset the communications timing 
cmd_reset_counter  20  Reset the counter variable used in communications 
Although the malware supports “cmd_run_icedid” to download and execute “bp.dat”, Proofpoint has not observed
Latrodectus dropping IcedID as a follow-on payload.  
Ultimately, Latrodectus is a generic loader that appears to be in active development, but so far there have not been
groundbreaking changes to its capabilities.  
Latrodectus infrastructure 
Tier 1 analysis 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 9 of 20

Team Cymru’s research into Latrodectus infrastructure began in late 2023 with the identification of four Tier 1 Command
and Control (C2) servers in the initial October 2023 campaign. At the time, analysis of network telemetry (NetFlow) data for
these C2s highlighted no discernible upstream communication with a possible Tier 2 (T2) proxy server. However, the IPs
shared several common characteristics, which were leveraged to find other C2s and subsequently identify upstream T2
communication, as described below.  
Queries for the combined characteristics detailed below resulted in less than one hundred IPs being returned, a positive sign
that the results were broadly related, as the existence of hundreds of C2s would be unlikely at this point. 
Fingerprint Hash = 2ad2ad16d2ad2ad22c2ad2ad2ad2ad89cd2abd9b188d3b42762a4c6aa7ff72 
Open Ports= 8080, 443 
Open Ports Banner Hash = eb51f3b6b62c69672dbeced9ce2252675db44222,
9b5ee969ca96ba0d4547a6041c5a86bf80fd4c96 
Open Ports Banner = 403 Forbidden, localhost 
Filtering out false positives, mostly belonging to Amazon and Russian provider IP space, the remaining IPs were assigned to
hosting providers often utilized for C2 infrastructure by IcedID and other dropper malware. This list includes familiar AS
names such as BLNWX, BV-EU-AS, LITESERVER, MIRHOSTING, XHOST, ZAPPIE-HOST, and ZERGRUSH. 
Indications of a potential T2 server were found in NetFlow data for these potential C2s, with numerous C2s initiating
communication with this IP on remote TCP/80. Further investigation of this IP led to the identification of additional C2s
based on matching traffic patterns. Although Latrodectus uses domains concealed behind Cloudflare in its malware
configurations, Team Cymru confirmed that many of the C2s found communicating with the T2 were the true IPs behind
these domains. 
C2 lifespan 
The chart below illustrates the lifespan of Latrodectus C2s, helping to highlight patterns in C2 activity including gaps,
turnover rates, and concurrent live C2s. The timeline starts 18 September 2023, incrementing bi-weekly through March
2024. Vertical lines mark each Sunday, while red bars represent individual C2s, ordered by first appearance. A bar's length
reflects its lifespan, from the start to the end of communication with the T2. 
By focusing on T2 communications, rather than victim communications or when a C2 first appeared in the wild, it is
possible to provide a more accurate representation of lifespan based on utilization by the threat actor(s). 
Figure 18: Latrodectus C2 timeline from September 2023 through Mach 2024. 
Since tracking began, Team Cymru has observed an ongoing cycle of C2 activity, starting with the first C2 to T2 connection
in September. This continued even during the January 2024 “quiet phase” when no campaigns were publicly identified. With
malspam campaigns resuming in early February 2024, the activities in January 2024 may represent testing phases, targeted
attacks, or the use alternative distribution methods beyond malspam. 
The chart indicates multiple patterns; the October to December 2023 campaigns coincided with C2s having longer lifespans,
while the few C2s in September 2023 are likely linked to testing prior to the initial campaigns being observed in the wild.
After a decline in December, the creation of new C2s resumed in January 2024, leading to more frequent but often shorter-lived C2s since then. 
Pivoting to raw data, analysis from 1 January to 18 March 2024 shows a C2 setup rate of one every 1.18 days, double the
previous rate from 21 September to 31 December 2023 of one every 2.32 days. The average lifespan of C2s during the
January to March 2024 period dropped to nine days, compared to an average of fifteen days for September to December
2023. One explanation for these changes could be that the threat actors are intensifying Latrodectus operations, having spent
the late 2023 period testing the waters.  
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 10 of 20

As previously referenced, each vertical line on the chart above (Figure 18) represents a Sunday / beginning of a new week,
offering a high-level view of when new infrastructure is typically established. Initial analysis did not identify a preferred day
on which C2s were set up, although a decrease in activity was noted to occur on weekends. 
Figure 19: Analysis of preferred day of C2 creation. 
Further analysis of the raw data indicated, however, that new C2s initiate communication with the T2 primarily on Fridays,
perhaps to prepare infrastructure for the upcoming working week on Monday. Setup rates on Tuesday, Wednesday, and
Thursday are comparably high, while Monday rates are lower.  As mentioned above, activity drops over the weekend,
suggesting the threat actors generally take this time off (as is often seen in analysis of cybercrime threat actors). 
Tier 2 analysis 
Based on historic network telemetry data, the T2 server was set up around August 2023. It has an X.509 certificate subject
value that was also associated with BazarLoader C2s in 2021.  
Since the initial setup of the Latrodectus infrastructure, only a few other IPs were found sharing this X.509 certificate. We
suspect one such IP hosts a development server that first appeared active in July 2023, a month prior to the T2, while the
roles of the others remain unclear. Nonetheless, Team Cymru is confident in their association with Latrodectus. 
Beyond the development server, researchers identified other notable components within the Latrodectus infrastructure. Team
Cymru has pinpointed hosts that exhibit patterns indicative of operator activity based on their consistent interactions across
the infrastructure, including with the development server, and their assessed usage of services and tools known to be
applicable to cybercrime-related activities. 
Additional hosts were found within the infrastructure, but their specific roles remain undefined. However, based on traffic
patterns and other traits that resemble that of other confirmed infrastructure, researchers can assume that they are interesting
and should be monitored.  
Any unknowns in the infrastructure continue to be a focus of Team Cymru’s investigations and researchers will provide
updates when further information becomes known, as appropriate. 
Connection to IcedID 
From an infrastructure analysis perspective, Team Cymru determined that the same threat actors responsible for IcedID are
also involved in the operation of Latrodectus. This conclusion is drawn from a few key observations. For one, the C2 hosting
choices between the two operations are similar, as mentioned above, although this alone is not a strong association. 
More conclusively, the Latrodectus T2 maintains connections with backend infrastructure associated with IcedID, and
operator activity within Latrodectus infrastructure includes the utilization of specific jumpboxes known to be used in IcedID
operations. 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 11 of 20

Figure 20: Latrodectus infrastructure related to IcedID infrastructure. 
The use of these hosts by operators for both IcedID and Latrodectus activities has been consistent since the initial setup of
the Latrodectus management infrastructure in July/August 2023. 
Standard IcedID update: a mystery decrypted 
While investigating the techniques used in string hashing related to Latrodectus campaign IDs, Proofpoint researchers
applied similar techniques to brute-force previously observed IcedID campaign IDs to derive a meaningful string.
Researchers identified patterns in the brute-forced IcedID campaign IDs and correlated them to specific threat actor
campaigns over time. The correlation suggests that in most cases, the derived IcedID campaign IDs associated with each
threat actor follow specific themes, such as cars or geographic regions.  
IcedID is a malware originally classified as a banking trojan and was first observed in 2017. It also acts as a loader for other
malware, including ransomware.  As previously published, historically there has been just one version of IcedID that has
remained constant since 2017. This well-known IcedID version, now commonly known as "Standard IcedID" to differentiate
it from newer variants, consists of two main components: 
IcedID loader: The loader is distributed initially, used to contact a Loader C2 server and attempt to download the
second component, the core IcedID Bot. 
IcedID bot: The core module containing most of the malware functionality. 
Most malware contains a configuration which is often used to input details specific to a threat actor. These details will
differentiate affiliates in the malware panel and determine what malware infections the group can see and further leverage. It
is common across most malware families for a form of project or campaign ID to distinguish the user affiliated with the
malware infection.  
The IcedID loader and bot have different campaign IDs and C2s. Historically, both the campaign ID and the C2 found in the
IcedID loader configuration was typically distinct for each campaign and could be used to cluster related activity and aid in
threat actor attribution. In 2022, a change occurred in campaign activity which made the loader's configuration unreliable for
delineating between campaigns and threat actors. Despite the change to the loader, the IcedID bot configuration remained
consistent and generally unique to a threat actor. 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 12 of 20

Figure 21: Example IcedID Configuration in a September 2023 TA577 campaign. 
In late 2023, Proofpoint researchers used the FNV-1a hashing algorithm to brute-force IcedID bot campaign IDs, which
allowed insight and correlation to campaigns and aid in confident attribution of previously suspected threat actor activity.
The numbers used as campaign IDs resolved to words and brands that were used by specific IcedID affiliates. This was the
first time researchers had observed successful derivation of the campaign IDs, and the strings resolved were notable. Many
affiliates associated with a threat actor appear to have a “theme” for their campaign IDs. For example, TA578 campaign IDs
generally used an automobile theme like “Pontiac” or “Hyundai”. TA544 campaign IDs contained Italian references. TA579
campaign IDs supported a previously suspected relationship distributing for another threat actor. TA551 campaign IDs often
referenced the NATO phonetic alphabet, though there were anomalies and not enough data to assert with confidence. TA581
campaign IDs had no unique patterns which supports the suspicion that the actor is solely a distributor or overlaps with
another threat group. The patterns that emerged correlating specific threat actors to certain themes proved consistent over
years. 
By identifying campaign ID patterns that proved consistent for each threat actor over years of IcedID campaign activity, in
addition to other campaign indicators, researchers were able to attribute activity with high confidence to tracked threat
actors, despite the change in loader configuration in 2022. It also provided valuable insight into how botnet operators
monitor affiliates, and further illustrated that seemingly random identifiers often provide important data that can assist in
attribution, potentially including future Latrodectus campaigns.  
The data represented in this update was collected between 2022 and 2023. The patterns and hypothesis formed are limited to
the malware configuration data collected from aproximately 100 campaigns originating from email during this scope of time
and the subset of campaign IDs successfully decrypted. While Proofpoint is planning to publish a more thorough analysis of
the patterns and campaign IDs in relation to tracked threat actors, below is a table of select project IDs initially brute forced: 
Decoded Project ID  Original Project ID 
Ascari  3524611504 
Atilda  2585978814 
Austin  3919082043 
Buick  2056920153 
Caprese  3036889562 
Chery  1057461280 
Chevrolet  904247735 
Delta  1023147713 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 13 of 20

Devlin  3393436303 
Echo  998075300 
Fullmoon  3415411565 
Hyundai  2262657793 
India  2646410796 
Italdesign  3681413287 
Juliet  2941939166 
Jupiter  921805286 
Kappa  2143020712 
Kilo  686741504 
Lincoln  1573268852 
Mars  1180344712 
Mike  4049493703 
Pontiac  1501064257 
Porsche  310022019 
Conclusion 
Proofpoint anticipates Latrodectus will become increasingly used by threat actors across the landscape, especially by those
who previously delivered IcedID. Given its use by threat actors assessed to be initial access brokers, defenders are
encouraged to understand the tactics, techniques, and procedures (TTPs) exhibited by the malware and associated
campaigns.  
Latrodectus’ attempts to incorporate sandbox evasion functionality aligns with the trend overall in the cybercrime threat
landscape that malware authors are increasingly trying to bypass defenders and ensure only potential victims receive the
payload. Proofpoint has observed similar attempts from other notable malware used by IABs including Pikabot and
WikiLoader.  
Emerging Threats signatures 
2051602 ET MALWARE Latrodectus Related Activity (POST) 
2051601 ET MALWARE Observed Latrodectus Domain (popfealt .one in TLS SNI) 
2051600 ET MALWARE Observed Latrodectus Domain (aytobusesre .com in TLS SNI) 
2051599 ET MALWARE DNS Query to Latrodectus Domain (popfealt .one) 
2051598 ET MALWARE DNS Query to Latrodectus Domain (aytobusesre .com) 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 14 of 20

2049706 ET MALWARE Latrodectus Alive Response M8 
2049705 ET MALWARE Latrodectus Alive Response M7 
2049704 ET MALWARE Latrodectus Alive Response M6 
2049703 ET MALWARE Latrodectus Alive Response M5 
2049702 ET MALWARE Latrodectus Alive Response M4 
2049701 ET MALWARE Latrodectus Alive Response M3 
2049700 ET MALWARE Latrodectus Alive Response M2 
2049233 ET MALWARE Latrodectus 404 Response 
2049232 ET MALWARE Latrodectus Alive Response M1 
2049231 ET MALWARE Latrodectus Alive Request (GET) 
2048735 ET MALWARE Latrodectus Loader Related Activity (POST) 
Indicators of compromise 
Indicator  Description  
First
Observed 
db03a34684feab7475862080f59d4d99b32c74d3a152a53b257fd1a443e8ee77 
LNK Payload
SHA256 
27 November
2023 
e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7 
DLL Payload
SHA256 
27 November
2023 
hxxps://mazdakrichest[.]com/live/  Latrodectus C2 
27 November
2023 
hxxps://riverhasus[.]com/live/  Latrodectus C2 
27 November
2023 
bb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241 
JavaScript Payload
SHA256 
28 November
2023 
97e093f2e0bf6dec8392618722dd6b4411088fe752bedece910d11fffe0288a2 
DLL Payload
SHA256 
28 November
2023 
hxxp://162[.]55[.]217[.]30/gRMS/0[.]6395541546258323[.]dat 
JavaScript Payload
URL 
28 November
2023 
hxxp://157[.]90[.]166[.]88/O3ZlYNW/0[.]7797109211833805[.]dat 
JavaScript Payload
URL 
28 November
2023 
hxxp://128[.]140[.]36[.]37/cQtDIo/0[.]43650426987684443[.]dat 
JavaScript Payload
URL 
28 November
2023 
hxxps://peermangoz[.]me/live/  Latrodectus C2 
28 November
2023 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 15 of 20

hxxps://aprettopizza[.]world/live/  Latrodectus C2 
28 November
2023 
hxxps://nimeklroboti[.]info/live/  Latrodectus C2 
28 November
2023 
hxxps://frotneels[.]shop/live/  Latrodectus C2 
28 November
2023 
f9c69e79e7799df31d6516df70148d7832b121d330beebe52cff6606f0724c62 
JavaScript Payload
SHA256 
24 November
2023 
d9471b038c44619739176381815bfa9a13b5ff77021007a4ede9b146ed2e04ec 
DLL Payload
SHA256 
24 November
2023 
hxxps://hukosafaris[.]com/elearning/f/q/daas-area/chief/index[.]php 
JavaScript Payload
URL 
24 November
2023 
d98cd810d568f338f16c4637e8a9cb01ff69ee1967f4cfc004de3f283d61ba81 
DLL Payload
SHA256 
14 December
2023 
47d66c576393a4256d94f5ed1e77adc28426dea027f7a23e2dbf41b93b87bd78 
EXE Payload
SHA256 
14 December
2023 
77[.]91[.]73[.]187:443 
DanaBot C2 IP
Address 
14 December
2023 
74[.]119[.]193[.]200:443 
DanaBot C2 IP
Address 
14 December
2023 
hxxps://arsimonopa[.]com/live  Latrodectus C2 
14 December
2023 
hxxps://lemonimonakio[.]com/live  Latrodectus C2 
14 December
2023 
bb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241 
JavaScript Payload
SHA256 
1 February
2024 
5d881d14d2336273e531b1b3d6f2d907539fe8489cbe80533280c9c72efa2273 
DLL Payload
SHA256 
1 February
2024 
hxxp://superior-coin[.]com/ga/index[.]php 
JavaScript Payload
URL 
1 February
2024 
hxxp://superior-coin[.]com/ga/m/6[.]dll 
JavaScript Payload
URL 
1 February
2024 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 16 of 20

hxxps://fluraresto[.]me/live/  Latrodectus C2 
1 February
2024 
hxxps://mastralakkot[.]live/live/  Latrodectus C2 
1 February
2024 
hxxps://postolwepok[.]tech/live/ 
Latrodectus Update
URLs 
1 February
2024 
hxxps://trasenanoyr[.]best/live/ 
Latrodectus Update
URLs 
1 February
2024 
10c129e2310342a55df5fa88331f338452835790a379d5230ee8de7d5f28ea1a 
JavaScript Payload
SHA256 
5 February
2024 
781c63cf4981fa6aff002188307b278fac9785ca66f0b6dfcf68adbe7512e491  MSI Payload
SHA256 
5 February
2024 
aa29a8af8d615b1dd9f52fd49d42563fbeafa35ff0ab1b4afc4cb2b2fa54a119 
DLL Payload
SHA256 
5 February
2024 
0ac5030e2171914f43e0769cb10b602683ccc9da09369bcd4b80da6edb8be80e 
JavaScript Payload
SHA256 
9 February
2024 
0e96cf6166b7cc279f99d6977ab0f45e9f47e827b8a24d6665ac4c29e18b5ce0  MSI Payload
SHA256 
9 February
2024 
77270e13d01b2318a3f27a9a477b8386f1a0ebc6d44a2c7e185cfbe55aac8017 
DLL Payload
SHA256 
9 February
2024 
hxxps://miistoria[.]com/live  Latrodectus C2 
9 February
2024 
hxxps://plwskoret[.]top/live  Latrodectus C2 
9 February
2024 
e7ff6a7ac5bfb0bb29547d413591abc7628c7d5576a3b43f6d8e5d95769e553a 
JavaScript Payload
SHA256 
13 February
2024 
dedbc21afc768d749405de535f9b415baaf96f7664ded55d54829a425fc61d7e  MSI Payload
SHA256 
13 February
2024 
378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05 
DLL Payload
SHA256 
13 February
2024 
edeacd49aff3cfea35d593e455f7caca35ac877ad6dc19054458d41021e0e13a 
JavaScript Payload
SHA256 
20 February
2024 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 17 of 20

9c27405cf926d36ed8e247c17e6743ac00912789efe0c530914d7495de1e21ec  MSI Payload
SHA256 
20 February
2024 
9a8847168fa869331faf08db71690f24e567c5cdf1f01cc5e2a8d08c93d282c9 
DLL Payload
SHA256 
20 February
2024 
hxxp://178[.]23[.]190[.]199:80/share/gsm[.]msi 
JavaScript WebDAV
Payload URL 
20 February
2024 
hxxps://sluitionsbad[.]tech/live/  Latrodectus C2 
20 February
2024 
hxxps://grebiunti[.]top/live/  Latrodectus C2 
20 February
2024 
856dfa74e0f3b5b7d6f79491a94560dbf3eacacc4a8d8a3238696fa38a4883ea 
JavaScript Payload
SHA256 
23 February
2024 
88573297f17589963706d9da6ced7893eacbdc7d6bc43780e4c509b88ccd2aef  MSI Payload
SHA256 
23 February
2024 
97e08d1c7970c1c12284c4644e2321ce41e40cdaac941e451db4d334cb9c5492 
DLL Payload
SHA256 
23 February
2024 
hxxp://5[.]252[.]21[.]207@80/share/escape[.]msi 
JavaScript WebDAV
Payload URL 
23 February
2024 
hxxps://zumkoshapsret[.]com/live/  Latrodectus C2 
23 February
2024 
hxxps://jertacco[.]com/live/  Latrodectus C2 
23 February
2024 
60c4b6c230a40c80381ce283f64603cac08d3a69ceea91e257c17282f66ceddc 
JavaScript Payload
SHA256 
27 February
2024 
88573297f17589963706d9da6ced7893eacbdc7d6bc43780e4c509b88ccd2aef  MSI Payload
SHA256 
27 February
2024 
97e08d1c7970c1c12284c4644e2321ce41e40cdaac941e451db4d334cb9c5492 
DLL Payload
SHA256 
27 February
2024 
hxxp://5[.]252[.]21[.]207/share/escape[.]msi 
JavaScript WebDAV
Payload URL 
27 February
2024 
a189963ff252f547fddfc394c81f6e9d49eac403c32154eebe06f4cddb5a2a22 
JavaScript Payload
SHA256 
4 March
2024 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 18 of 20

aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c 
DLL Payload
SHA256 
4 March
2024 
hxxp://95[.]164[.]3[.]171/share/cisa[.]msi 
WebDAV Payload
URL 
4 March
2024 
hxxps://scifimond[.]com/live/  Latrodectus C2 
4 March
2024 
hxxps://aytobusesre[.]com/live/  Latrodectus C2 
4 March
2024 
4416b8c36cb9d7cc261ff6612e105463eb2ccd4681930ca8e277a6387cb98794 
JavaScript Payload
SHA256 
7 March
2024 
aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c 
DLL Payload
SHA256 
7 March
2024 
hxxps://popfealt[.]one/live/ 
Latrodectus Update
URLs 
7 March
2024 
hxxps://ginzbargatey[.]tech/live/ 
Latrodectus Update
URLs 
7 March
2024 
hxxps://minndarespo[.]icu/live/ 
Latrodectus Update
URLs 
7 March
2024 
090f2c5abb85a7b115dc25ae070153e4e958ae4e1bc2310226c05cd3e9429446 
JavaScript Payload
SHA256 
11 March
2024 
ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f  MSI Payload
SHA256 
11 March
2024 
3b63ea8b6f9b2aa847faa11f6cd3eb281abd9b9cceedb570713c4d78a47de567 
DLL Payload
SHA256 
11 March
2024 
hxxps://drifajizo[.]fun/live/  Latrodectus C2 
11 March
2024 
hxxps://scifimond[.]com/live/  Latrodectus C2 
11 March
2024 
hxxps://minndarespo[.]icu/live/  Latrodectus C2 
11 March
2024 
6904d382bc045eb9a4899a403a8ba8a417d9ccb764f6e0b462bc0232d3b7e7ea 
JavaScript Payload
SHA256 
18 March
2024 
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 19 of 20

71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9 
DLL Payload
SHA256 
18 March
2024 
hxxp://sokingscrosshotel[.]com/share/upd[.]msi 
WebDAV Payload
URL 
18 March
2024 
hxxps://titnovacrion[.]top/live/  Latrodectus C2 
18 March
2024 
Source: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Page 20 of 20

up Once this string is An integer stored in created, it is RC4 encrypted the config that is different with the key “12345”. per sample This key has been consistent across all samples
analyzed to date. The resulting RC4 encrypted data is base64 encoded and sent to the C2 in the HTTP body.
  Page 7 of 20  

An example response E3l9I35LXiOWKYHilDWuJoUOTU3NOyjNGnp3muFUOrabzvFw6FpoOQqdBZmsUV5E7FzXWHKgBafR6PcPckBsIB2vIhb3CZ/QHPoEO1hc0A++P from the C2 is shown below. When decrypted and decoded gives commands within the above table:
This response when base64 decoded and RC4 decrypted with the global key “12345” will show the following:
  Page 8 of 20