{
	"id": "a73e69d6-e3c8-4248-a985-a87f301f8470",
	"created_at": "2026-04-06T00:15:01.450912Z",
	"updated_at": "2026-04-10T03:23:51.697444Z",
	"deleted_at": null,
	"sha1_hash": "7aaf40091722129ec54181523a45e39afebd2702",
	"title": "New Latrodectus malware attacks use Microsoft, Cloudflare themes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4387288,
	"plain_text": "New Latrodectus malware attacks use Microsoft, Cloudflare themes\r\nBy Lawrence Abrams\r\nPublished: 2024-04-30 · Archived: 2026-04-05 18:32:54 UTC\r\nLatrodectus malware is now being distributed in phishing campaigns using Microsoft Azure and Cloudflare lures to appear\r\nlegitimate while making it harder for email security platforms to detect the emails as malicious.\r\nLatrodectus (aka Unidentified 111 and IceNova) is an increasingly distributed Windows malware downloader\r\nfirst discovered by Walmart's security team and later analyzed by ProofPoint and Team Cymru that acts as a backdoor,\r\ndownloading additional EXE and DLL payloads or executing commands.\r\nBased on the distribution and infrastructure, researchers have linked the malware to the developers of the widely-distributed\r\nIcedID modular malware loader.\r\nhttps://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile it is not known at this time if they plan on phasing out IcedID in favor of Latrodectus, the newer malware is\r\nincreasingly being used in phishing campaigns and contact form spam to gain initial access to corporate networks.\r\nSecurity researcher ProxyLife and the Cryptolaemus group have been chronicling Latrodectus's use of various PDF lures\r\nand themes, with the latest campaign utilizing a fake Cloudflare captcha to evade security software.\r\nStarts with an email\r\nLatrodectus is currently being distributed through reply-chain phishing emails, which is when threat actors use stolen email\r\nexchanges and then reply to them with links to malware or malicious attachments.\r\nProxyLife told BleepingComputer that this campaign uses either PDF attachments or embedded URLs to start an attack\r\nchain that eventually leads to installing the Latrodectus malware.\r\nLatrodectus phishing email\r\nSource: BleepingComputer\r\nThe PDFs will use generic names like '04-25-Inv-Doc-339.pdf' and pretend to be a document hosted in Microsoft Azure\r\ncloud, which must first be downloaded to be viewed.\r\nPDF document pretending to be hosted in Microsoft Azure Cloud\r\nSource: BleepingComputer\r\nhttps://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/\r\nPage 3 of 6\n\nClicking on the 'Download Document' button will bring users to a fake 'Cloudflare security check' that asks you to solve an\r\neasy math question. This captcha is likely to prevent email security scanners and sandboxes from easily following the attack\r\nchain and only delivering the payload to a legitimate user.\r\nWhen the correct answer is entered into the field, the fake Cloudflare captcha will automatically download a JavaScript file\r\npretending to be a document named similar to \"Document_i79_13b364058-83054409r0449-8089z4.js\".\r\nSolving a fake Cloudflare captcha to download payload\r\nSource: BleepingComputer\r\nThe downloaded JavaScript script is heavily obfuscated with comments that include a hidden function that extracts text from\r\ncomments that start with '////' and then executes the script to download an MSI from a hardcoded URL, as shown in the\r\ndeobfuscated script below.\r\nDeobfuscated script that downloads MSI file\r\nSource: BleepingComputer\r\nWhen the MSI file is installed, it drops a DLL in the %AppData%\\Custom_update folder named Update\r\n_b419643a.dll, which is then launched by rundll32.exe. The file names are likely random per installation.\r\nhttps://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/\r\nPage 4 of 6\n\nRunDLL32 used to launch Latrodectus DLL\r\nSource: BleepingComputer\r\nThis DLL is the Latrodectus malware, which will now quietly run in the background while waiting for payloads to install or\r\ncommands to execute.\r\nAs Latrodectus malware infections are used to drop other malware and for initial access to corporate networks, they can lead\r\nto devastating attacks.\r\nAt this time, the malware has been observed dropping the Lumma information-stealer and Danabot. However, since\r\nLatrodectus is linked to IcedID, these attacks may lead to a wider range of malware in the future such as Cobalt Strike and\r\nwe might also see partnerships with ransomware gangs.\r\nTherefore, if a device becomes infected with Latrodectus, it is critical to take the system offline as soon as possible and\r\nevaluate the network for unusual behavior.\r\nhttps://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/\r\nhttps://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/"
	],
	"report_names": [
		"new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434501,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7aaf40091722129ec54181523a45e39afebd2702.pdf",
		"text": "https://archive.orkl.eu/7aaf40091722129ec54181523a45e39afebd2702.txt",
		"img": "https://archive.orkl.eu/7aaf40091722129ec54181523a45e39afebd2702.jpg"
	}
}