{
	"id": "14eb49c6-b3ce-4260-9c1d-20fc8c7e0c69",
	"created_at": "2026-04-06T00:10:12.436682Z",
	"updated_at": "2026-04-10T13:11:37.128987Z",
	"deleted_at": null,
	"sha1_hash": "56c28dac9586aaef39467c9d00888967d67b088c",
	"title": "Latrodectus – Malware Trends Tracker by ANY.RUN",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55670,
	"plain_text": "Latrodectus – Malware Trends Tracker by ANY.RUN\r\nBy Stanislav Gayvoronsky\r\nArchived: 2026-04-05 15:49:35 UTC\r\nWhat is Latrodectus malware?\r\nLatrodectus is a type of malware known as a \"loader,\" which is designed to download and install additional\r\nmalicious software onto a compromised computer. It is believed to have been developed by the same individuals\r\nor group behind the IcedID trojan, a sophisticated and widespread banking malware.\r\nSince 2023, Latrodectus has been extensively used by a variety of threat actors, including advanced persistent\r\nthreat (APT) groups such as TA578 and TA577, which was previously observed delivering the Qbot malware, a\r\nbanking trojan family.\r\nLatrodectus is typically delivered as part of multi-stage attacks, which often begin with a phishing email\r\ncontaining a malicious JavaScript file attachment. However, it has also been known to be dropped by other\r\nmalware, including the DanaBot trojan.\r\nOne of the key features that has allowed security researchers to link Latrodectus to the IcedID authors is the use of\r\na similar command and control (C2) infrastructure. C2 servers are used by malware to communicate with their\r\noperators, receive instructions, and exfiltrate data.\r\nGet started today for free\r\nAnalyze malware and phishing in a fully-interactive sandbox\r\nCreate free account\r\nLatrodectus malware technical details\r\nThe primary functionality of Latrodectus is to receive commands from the attackers and perform them.\r\nSome of the key capabilities of Latrodectus include:\r\nGetting a list of filenames of files located on the desktop of the infected machine.\r\nListing all the processes currently running on the device.\r\nGathering and transmitting additional system information about the endpoint, such as the OS version and\r\nhardware specs.\r\nLaunching of executable files to install malware or to perform other malicious actions.\r\nDetonating dynamic link library (DLL) files.\r\nUsing Windows command prompt to execute commands.\r\nhttps://any.run/malware-trends/latrodectus\r\nPage 1 of 3\n\nA typical Latrodectus infection chain begins with a JavaScript file that is responsible for downloading a malicious\r\n.msi file, which then leads to the deployment of the final payload on the system.\r\nThe malware implements obfuscation techniques, such as encrypting strings, to make it more difficult for\r\nresearchers to analyze. It communicates with its command and control (C2) server via HTTPS, with both requests\r\nand responses encrypted using RC4 and base64 encoding.\r\nFurthermore, Latrodectus has a built-in sandbox detection mechanism that works by enumerating the number of\r\nactive processes on the device and checking for the presence of a MAC address.\r\nThe malware can establish a scheduled task for persistence, ensuring that it remains active on the infected machine\r\neven after a reboot. It also verifies if the computer is already infected with Latrodectus and exits execution if the\r\nresult is positive.\r\nLatrodectus execution process\r\nLet’s detonate a sample of the Latrodectus malware in the ANY.RUN sandbox to observe its execution chain.\r\nThe infiltration process of the Latrodectus malware involves a sequence of steps that ultimately lead to its\r\nsuccessful operation on a target system.\r\nUpon launching a JavaScript file, it automatically retrieves an installer MSI. This MSI file implants a Latrodectus\r\nDynamic Link Library (DLL) onto the system, allowing the malware to maintain persistence even after the system\r\nis rebooted.\r\nLatrodectus process graph in ANY.RUN Latrodectus process graph in ANY.RUN\r\nOnce implanted, the Latrodectus malware establishes communication with its command-and-control (C2) server,\r\nproviding remote access to the infected device for malicious actors.\r\nGathering threat intelligence on Latrodectus malware\r\nTo collect up-to-date intelligence on Latrodectus, use Threat Intelligence Lookup.\r\nThis service gives you access to a vast database filled with insights from millions of malware analysis sessions\r\nconducted in the ANY.RUN sandbox.\r\nWith over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can\r\nefficiently gather relevant data on threats like Latrodectus.\r\nLatrodectus ANY.RUN Search results for Latrodectus in Threat Intelligence Lookup\r\nFor example, you can search directly for the threat name or use related indicators like hash values or network\r\nconnections. Submitting a query such as threatName:\"latrodectus\" AND domainName:\"\" will generate a list of\r\nother data extracted from Lumma samples along with sandbox sessions that you can explore in detail to gain\r\ncomprehensive insights into this malware’s behavior.\r\nhttps://any.run/malware-trends/latrodectus\r\nPage 2 of 3\n\nIntegrate ANY.RUN’s threat intelligence solutions in your company\r\nContact us\r\nLatrodectus malware distribution methods\r\nPhishing emails are the most common attack vector by threat actors for distributing Latrodectus malware. These\r\nemails are typically designed to appear as if they have been sent from a legitimate organization or individual, to\r\ntrick the recipient into opening an attached file or clicking on a malicious link.\r\nIn one particular campaign, the threat actor group TA578 was observed to be spreading Latrodectus as part of a\r\nscheme that involved accusing target companies of copyright infringement. The phishing emails in this campaign\r\nwere designed to look like they were sent from a legitimate organization.\r\nIn another instance, a fake Azure page was used to initiate the infection chain.\r\nConclusion\r\nLatrodectus is a noteworthy loader that presents a challenge due to its widespread use by professional cyber\r\ncriminal groups. Its capacity to deploy payloads, along with its advanced obfuscation and evasion methods, as\r\nwell as continuous development contribute to its potential to become an even more serious threat.\r\nANY.RUN is a cloud-based service that can be used to safely analyze suspicious files and URLs, including\r\nLatrodectus malware. It allows you to observe malware behavior and collect indicators of compromise in a secure\r\nenvironment. Using ANY.RUN can help you understand Latrodectus's tactics and improve your defenses against\r\nit.\r\nCreate your ANY.RUN account – it’s free!\r\nSource: https://any.run/malware-trends/latrodectus\r\nhttps://any.run/malware-trends/latrodectus\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://any.run/malware-trends/latrodectus"
	],
	"report_names": [
		"latrodectus"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "62585174-b1f8-47b1-9165-19b594160b01",
			"created_at": "2023-01-06T13:46:39.369991Z",
			"updated_at": "2026-04-10T02:00:03.304964Z",
			"deleted_at": null,
			"main_name": "TA578",
			"aliases": [],
			"source_name": "MISPGALAXY:TA578",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0",
			"created_at": "2024-11-01T02:00:52.694476Z",
			"updated_at": "2026-04-10T02:00:05.410572Z",
			"deleted_at": null,
			"main_name": "TA578",
			"aliases": [
				"TA578"
			],
			"source_name": "MITRE:TA578",
			"tools": [
				"Latrodectus",
				"IcedID"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b4f83fef-38ee-4228-9d27-dde8afece1cb",
			"created_at": "2023-02-15T02:01:49.569611Z",
			"updated_at": "2026-04-10T02:00:03.351659Z",
			"deleted_at": null,
			"main_name": "TA577",
			"aliases": [
				"Hive0118"
			],
			"source_name": "MISPGALAXY:TA577",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "22d450bb-fc7a-42af-9430-08887f0abf9f",
			"created_at": "2024-11-01T02:00:52.560354Z",
			"updated_at": "2026-04-10T02:00:05.276856Z",
			"deleted_at": null,
			"main_name": "TA577",
			"aliases": [
				"TA577"
			],
			"source_name": "MITRE:TA577",
			"tools": [
				"Pikabot",
				"QakBot",
				"Latrodectus"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434212,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/56c28dac9586aaef39467c9d00888967d67b088c.pdf",
		"text": "https://archive.orkl.eu/56c28dac9586aaef39467c9d00888967d67b088c.txt",
		"img": "https://archive.orkl.eu/56c28dac9586aaef39467c9d00888967d67b088c.jpg"
	}
}