{
	"id": "7cee9ac1-c2a1-4438-a217-9f9738470d99",
	"created_at": "2026-04-06T00:16:43.548134Z",
	"updated_at": "2026-04-10T13:11:59.428953Z",
	"deleted_at": null,
	"sha1_hash": "a33ac58a1d90568716c289434a5afcced93c482e",
	"title": "Latrodectus, are you coming back? | Bitsight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1971184,
	"plain_text": "Latrodectus, are you coming back? | Bitsight\r\nArchived: 2026-04-05 17:10:21 UTC\r\nAt the end of May 2024, the largest ever operation against botnets, dubbed Operation Endgame, targeted several botnets\r\nincluding IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. This operation significantly impacted the\r\nbotnets by compromising their operations and shutting down their infrastructure. Although Latrodectus was not mentioned\r\nin the operation, it was also affected and its infrastructure went offline. As pointed out in this article by Proofpoint and Team\r\nCymru S2, the infrastructure of Latrodectus and IcedID overlapped with each other.\r\nLatrodectus is a loader capable of downloading and executing additional payloads and modules to extend its own\r\nfunctionally. Active since at least October 2023, this malware is usually distributed through email spam campaigns,\r\nprimarily by two threat actors known as TA577 and TA578.\r\nIn this article we provide a technical analysis of Latrodectus and some insights about its victims up until Operation\r\nEndgame.\r\nBlog contents:\r\nLatrodectus bot analysis\r\nAnti analysis\r\nMutex\r\nWindows API resolution\r\nStrings decryption\r\nBot ID\r\nGroup and Group ID\r\nC2 decryption\r\nThe update data .dat file\r\nPersistence\r\nCommunications protocol\r\nCampaigns and victims\r\nConclusions\r\nIndicators\r\nUpon execution, Latrodectus resolves all needed Windows APIs by hash, performs checks to determine if it is running inside\r\na sandbox, and checks for other instances of itself to avoid infecting the same machine twice. If the system passes these\r\nchecks, the malware installs itself and registers with the command and control (C2) server. Once registered, the bot stays in\r\na loop to request additional instructions.\r\nAnti analysis\r\nUpon starting, Latrodectus ensures that it is not running in a contained environment like a sandbox. If any of the steps\r\ndescribed below fail, the malware aborts execution.\r\nDebugger check\r\nThis check simply verifies if the BeingDebugged flag is set in the Process Environment Block (PEB).\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 1 of 18\n\nFigure 1: Check PEB BeingDebugged flag\r\nTotal running processes check\r\nIn this check, the malware looks at the total number of running processes. Latrodectus expects at least 75 running processes\r\nfor Windows 10 and later, and at least 50 processes for versions earlier than Windows 10.\r\nFigure 2: Total number of processes\r\nSystem architecture check\r\nThis check is intended to determine if the malware is running on a 64-bit host.\r\nFigure 3: System architecture\r\nMAC address check\r\nThis check validates the MAC addresses of all network adapters in the system to ensure they are valid and of the correct\r\nsize.\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 2 of 18\n\nFigure 4: MAC address check\r\nMutex\r\nLatrodectus attempts to create a mutex named running and if it fails or it already exists, it terminates execution. This\r\nmechanism prevents multiple infections on the same machine.\r\nFigure 5: Mutex creation\r\nWindows API resolution\r\nAll necessary Windows APIs are resolved at the beginning of execution. To do so, Latrodectus finds the base address from\r\nkernel32.dll and ntdll.dll by traversing the Process Environment Block (PEB) structure. Below is the function responsible\r\nfor retrieving the base address, which takes the CRC32 hash value from the DLL name unicode string and returns the base\r\naddress.\r\nFigure 6: Find dll base from PEB\r\nAfter resolving the base addresses of kernel32.dll and ntdll.dll, it resolves the base addresses of additional libraries such as\r\nuser32.dll, wininet.dll, shell32.dll, advapi32.dll, urlmon.dll, shlwapi.dll, ole32.dll, and iphlpapi.dll. To do so, it finds all DLL\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 3 of 18\n\nfiles inside the C:\\Windows\\system32\\ folder and compares the CRC32 hash value of each Unicode name string with the\r\ntarget value. If there's a match, Latrodectus calls LoadLibraryW to load the target library and get its base address.\r\nFigure 7: Load additional libraries\r\nAfter loading all needed DLLs, Latrodectus resolves all the necessary APIs by comparing the CRC32 hash value of the\r\nexported functions with the target values. All pointers to the APIs are saved in global variables.\r\nFigure 8: API resolution\r\nStrings decryption\r\nWhenever Latrodectus needs to decrypt a string, it calls a function that takes two arguments: the pointer to the buffer\r\ncontaining the encrypted string blob as the first argument, and a pointer to the output buffer where the plain text string will\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 4 of 18\n\nbe stored as the second argument.\r\nFigure 9: String decryption\r\nAll encrypted strings start with a 6 byte long header. The first 4 bytes contain the initial XOR seed and the next 2 bytes\r\ncontain length of the XOR-encrypted string. The decrypt function goes through the encrypted string bytes and XORs them\r\nwith the seed. The seed changes at every iteration using a pseudo-random number generator (PRNG)-like function.\r\nFigure 10: PRNG function\r\nIn the latest version of Latrodectus, the PRNG-like function has been simplified. As seen below, now the seed is\r\nincremented by 1 at every iteration.\r\nFigure 11: New PRNG function\r\nMalware developers usually make decryption routines more complex with updates, but here they did the opposite.\r\nBot ID\r\nLatrodectus creates a unique bot ID for each victim based on the volume serial number. To do so, first it grabs the serial\r\nusing the Windows API GetVolumeInformationW.\r\nFigure 12: Volume serial\r\nThe volume serial number is subsequently passed to another function, where the bot ID is generated using this number\r\nalongside the hardcoded value 0x19660D .\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 5 of 18\n\nFigure 13: Bot ID generation\r\nAs the final step, the generated bot ID is converted to a hexadecimal string using the following format:\r\n%04X%04X%04X%04X%08X%04X.\r\nFigure 14: Bot ID string\r\nGroup and Group ID\r\nAll Latrodectus samples contain an encrypted string which is the group name/campaign identifier. Latrodectus FNV-1a\r\nhashes the string to calculate group ID, which is later used in the communication protocol.\r\nFigure 15: Group ID\r\nC2 decryption\r\nLatrodectus samples always contain two encrypted command and control (C2) servers. These C2 servers are decrypted like\r\nany other string and are stored within a memory structure.\r\nFigure 16: C2 server decryption\r\nThe update data .dat file\r\nBefore starting the communication routines, Latrodectus checks for the existence of the file\r\n%appdata%\\Custom_update\\update_data.dat . If the file exists, it reads and decrypts its content. This file contains updated\r\nC2 URLs sent by the hardcoded C2 servers found within the sample.\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 6 of 18\n\nFigure 17: Update C2 servers\r\nIf Latrodectus is running for the first time, the update_data.dat file will not exist. This file is only written to disk when\r\nthe malware receives an updated list of C2 servers.\r\nFigure 18: Save dat file to disk\r\nPersistence\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 7 of 18\n\nIf the malware is not running from within the Appdata folder, it will delete itself and copy to a file named\r\n%appdata%\\Custom_update\\Update_%x.dll , where %x is replaced with a 4-byte integer in hex format (8 characters in\r\ntotal). This integer is the result of multiplying the volume serial number with the hardcoded constant 0x19660D .\r\nFigure 19: Move itself to Appdata\r\nAfterwards, it uses the Microsoft Component Object Model (COM) to create a scheduled task named Updater , ensuring\r\nthat the malware runs at every logon.\r\nFigure 20: COM persistence\r\nCommunications protocol\r\nLatrodectus uses POST requests over HTTPS to register itself with the C2 servers and receive additional instructions and\r\ncommands. The data sent in the HTTP body (referred to as beacon data) is RC4 encrypted with the key 12345 and base64\r\nencoded.\r\nNote: This RC4 key was used in the initial campaigns but has since been changed. Check the Indicators section for a\r\ncomplete list of all known RC4 keys.\r\nLatrodectus sends requests at intervals ranging from 7.5 to 10 minutes. However, the C2 server can send a specific command\r\nto change the interval to 25 to 35 minutes.\r\nAnother interesting aspect of the communications protocol is that Latrodectus always uses Mozilla/4.0 (compatible; MSIE\r\n7.0; Windows NT 5.1; Tob 1.1) as the user agent string, and the requests are always sent to the /live/ endpoint.\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 8 of 18\n\nFigure 21: Latrodectus POST request\r\nBeacon data\r\nBefore sending the HTTP POST request, Latrodectus builds a string with the following format:\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s . This is referred to\r\nas the base beacon, as this data is always included in every request.\r\nFigure 22: Base beacon\r\nBase beacon fields:\r\nField Description\r\ncounter total number HTTP requests\r\ntype\r\nbeacon type. 1 is normal beacon, 2 is running outside of Appdata, 3 sysinfo beacon, 4 process list beacon, 5\r\ndesktop links beacon\r\nguid bot ID string\r\nos major version of Windows\r\narch always 1 which refers to x64\r\nusername string\r\ngroup FNV-1a hash of group string aka campaign identifier\r\nver major and minor version of the malware. known versions are 1.1, 1.2, and 1.3\r\nup hardcoded value that changes between samples\r\ndirection current c2 domain to where the request is sent\r\nIf the beacon field counter is zero, Latrodectus sends the registration beacon. To do so, it appends the following three\r\nextra fields to the base beacon.\r\nExtra field Description\r\nmac list of mac addresses of the infected system, each mac needs to end with a ;\r\ncomputername hostname of the infected system\r\ndomain domain name. if system is not part of a domain this field is filled with a -\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 9 of 18\n\nThe complete registration beacon looks like this:\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s\u0026mac=%s\u0026computername=%s\u0026domai\r\nLatrodectus encrypts the beacon string using RC4 with the key 12345, base64 encodes it, and sends it to the C2 server.\r\nFigure 23: RC4 encryption + Base64 encoding\r\nC2 instructions and commands\r\nThe response from the C2 is also RC4 encrypted using the same key 12345 and base64 encoded. It can contain instructions\r\ndelimited by newline characters \\n , with arguments for the instructions separated by the | character.\r\nFigure 24- Decrypted C2 response\r\nList of available instructions:\r\nInstruction Description\r\nURLS sends a new server to be stored in the update C2 table at a given index\r\nCLEARURL cleanup/reset update C2 table\r\nCOMMAND sends a command to be executed by the bot. the commands are identified by an ID number\r\nERROR sends error message to bot\r\nThe COMMAND instruction is crucial as it directs the bot to perform specific actions. This instruction takes the command ID\r\nas the first argument and can receive a second argument that is passed to the function implementing the command.\r\nHere's a list of all available commands implemented in the bot:\r\nCommand ID Description\r\n2 Collect desktop filenames\r\n3 Collect running processes\r\n4 Collect sysinfo\r\n12 Download and execute EXE file\r\n13 Download and execute DLL file via rundll32\r\n14 Download and execute shellcode\r\n15 Download and execute update EXE file (self update)\r\n17 Uninstall\r\n18 Download and execute Anubis aka IcedID\r\n19 Extra sleep (increase next sleep time)\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 10 of 18\n\nCommand ID Description\r\n20 Reset counter (http request counter)\r\n21 Download and execute stealer module\r\nSome available commands will affect both the beacon type and the data of the next request to the C2 server, so let's review\r\nthose.\r\nCommand ID 2 - Collect desktop files\r\nThis command collects the desktop filenames and builds a list as follows: \u0026desklinks=[\"filename1\", \"filename2\", ...] .\r\nFigure 25: Enumerate desktop filenames\r\nThe list is added to the base beacon, and the beacon field type is set to 5 , indicating a desktop links beacon.\r\nFigure 26: Desktop links beacon\r\nThe complete beacon string for the desktop links beacon looks like following:\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s\u0026desklinks=\r\n[\"filename1\", \"filename2\", ...] .\r\nCommand ID 3 - Collect running processes\r\nThis command collects the list of running processes and builds a list as follows: \u0026proclist=[{\"pid\": \"%d\",\"proc\":\r\n\"%s\",\"subproc\": []}, ...] .\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 11 of 18\n\nFigure 27: Enumerate running processes\r\nThe list is added to the base beacon, and the beacon field type is set to 4 , indicating a process list beacon.\r\nFigure 28: Process list beacon\r\nThe complete beacon string for the process list beacon looks like following:\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s\u0026proclist=[{\"pid\":\r\n\"%d\",\"proc\": \"%s\",\"subproc\": []}, ...] .\r\nCommand ID 4 - Collect sysinfo\r\nThis command executes a pre-defined list of reconnaissance commands and stores the output of each in an in-memory\r\nstructure.\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 12 of 18\n\nFigure 29: Reconnaissance commands\r\nHere's the complete list of commands Latrodectus executes on an infected system after receiving this command from the C2\r\nserver, along with their respective beacon extra fields:\r\nCommand Extra field\r\nrequest public ip from https://ifconfig.me realip\r\ncmd.exe /c ipconfig /all ipconfig\r\ncmd.exe /c systeminfo systeminfo\r\ncmd.exe /c nltest /domain_trusts domain_trusts\r\ncmd.exe /c nltest /domain_trusts /all_trusts domain_trusts_all\r\ncmd.exe /c net view /all /domain net_view_all_domain\r\ncmd.exe /c net view /all net_view_all\r\ncmd.exe /c net group \"Domain Admins\" /domain net_group\r\nwmic.exe /Node:localhost /Namespace:\\root\\SecurityCenter2 Path AntiVirusProduct Get *\r\n/Format:List\r\nwmic\r\ncmd.exe /c net config workstation net_config_ws\r\ncmd.exe /c wmic.exe /node:localhost /namespace:\\root\\SecurityCenter2 path AntiVirusProduct\r\nGet DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed\r\nnet_wmic_av\r\ncmd.exe /c whoami /groups whoami_group\r\nLatrodectus base64 encodes the outputs and appends them to the base beacon using the extra fields from the table above.\r\nThe beacon field type is set to 3 , indicating a sysinfo beacon.\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 13 of 18\n\nFigure 30: Sysinfo beacon\r\nThe complete beacon string for the sysinfo beacon looks like following:\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s\u0026realip=\r\n\u003cbase64\u003e\u0026ipconfig=\u003cbase64\u003e\u0026systeminfo=\u003cbase64\u003e\u0026domain_trusts=\u003cbase64\u003e\u0026domain_trusts_all=\r\n\u003cbase64\u003e\u0026net_view_all_domain=\u003cbase64\u003e\u0026net_view_all=\u003cbase64\u003e\u0026net_group=\u003cbase64\u003e\u0026wmic=\u003cbase64\u003e\u0026net_config_ws=\r\n\u003cbase64\u003e\u0026net_wmic_av=\u003cbase64\u003e\u0026whoami_group=\u003cbase64\u003e\r\nCommand ID 21 - Download and exec stealer module\r\nWhen Latrodectus receives command ID 21, it also receives as an argument the filename of the DLL file hosted on the C2\r\nserver. In the response below, the filename is stkm.bin , and front:// is included to be replaced with https://\u003ccurrent\r\nC2 domain\u003e\r\nFigure 31: C2 response with command ID 21\r\nLatrodectus downloads the module DLL and spawns a new thread to execute it and collect the data.\r\nFigure 32: DLL download and thread creation\r\nThe data collected by the stealer module is stored in a buffer with the following format: \u0026stiller=\u003cdata\u003e . This data is then\r\nadded to the next beacon string, with the beacon field type set to 21 , indicating a stealer beacon.\r\nFigure 33: Stealer beacon\r\nCampaigns and victims\r\nWe tracked 10 different group names associated with Latrodectus and observed nearly 5.000 distinct victims across all\r\ncampaigns.\r\nLatrodectus Groups/Campaigns:\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 14 of 18\n\nGroup Group ID (FNV-1a hash)\r\ntest 2949673445\r\nNovik 1053565364\r\nOlimp 445271760\r\nLiniska 2020984416\r\nTrust 2317793045\r\nSupted 1081065992\r\nLittlehw 510584660\r\nFacial 3828029093\r\nElectrol 2221766521\r\nCompati 3581839234\r\nThe top 10 most affected countries are:\r\nUnited States (652) \r\nUnited Kingdom (444) \r\nNetherlands (439) \r\nPoland (360) \r\nFrance (349) \r\nCzechia (284) \r\nJapan (244) \r\nAustralia (229) \r\nGermany (228) \r\nCanada (187) \r\nFigure 34: Complete distribution of victims\r\nThanks to Operation Endgame, Latrodectus is currently offline. There is a possibility that the threat actors will attempt to\r\nrevive the botnet and improve its overall operational security to prevent future disruptive actions. At Bitsight we will\r\ncontinue to monitor the activity of these threat actors and be on the lookout for new infrastructure related to Latrodectus.\r\nBitsight thanks the following organizations for supporting this research: Registrar of Last Resort (RoLR), Radix, ShortDot,\r\nBestTLD, DoMEn, CentralNic.\r\nFile hashes\r\nLatrodectus bot:\r\n5edc39cbd89d3ba70a4737f823933af93f3c182134af8e34e0af9a316afaaca8\r\n9fad77b6c9968ccf160a20fee17c3ea0d944e91eda9a3ea937027618e2f9e54e\r\ne5aed4e2fdda9242d6a723ece8c6d7b2b2a3f1f82abcac66e1480b6794c23bfc\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 15 of 18\n\n3e0524346e447a3dcadc528ec3a009c8b34cf3c0d1c7423c4d168b432b2c8b72\r\n465f931e8a44b7f8dff8435255240b88f88f11e23bc73741b21c20be8673b6b7\r\n9e7fdc17150409d594eeed12705788fbc74b5c7f482a64d121395df781820f46\r\nda6ca4c2fc0ef28c2a59874164ce691e74a2f41329d59b0344282bfdf4eb2324\r\nf419c4f9ee51391da7ef8b679683593ed76181b1a5702c58944ba64adeb25cd9\r\n6091f2589fef42e0ab3d7975806cd8a0da012b519637c03b73f702f7586b21ef\r\n1d7e154b07ff64d36c57af9a4d6f95d6f108112e7df433ced840b77b32b3b1e2\r\nac096895773aab31910cee9d9611fbf3fcf7b2ba76678237ecd676d350c91c9c\r\n7040402574a686f031c3af5fed37509d8979855397787aab70b2d1059099d2da\r\n5d36d2cbf0a92c31692861af5c43b7faee35a2c13a36a7d6f4bdca27d2fa1dbe\r\n34aff1767909ff582d15949922549fddb5849f163260ad3efdc32d4f869fdf09\r\nd38643133189bc880af537a371087e2e34fa36e0f96fd19a42969d3bc72fe95b\r\n9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534\r\n805b59e48af90504024f70124d850870a69b822b8e34d1ee551353c42a338bf7\r\n535da28d4c95d3b379336314471f118dc99ce4a85d97fdf0b9cc6afb22da02d9\r\nbb7cb5aea4192a035376d380682716235fdb4809d06b63b63d6d6d1061a5c231\r\n03e0ca10cbf06f45fefd102dc8e42665729d8891e047348dea7dcceb9b5559cc\r\ne8263e35b92634d20e61a78c12bc95aab476381b5f03364d9fbb5d74b8fb2eb8\r\nfbaa36fbd8f43d80ecc3c8c26701de0beca3db8402af5e8ce27105a68e918082\r\n65da6d9f781ff5fc2865b8850cfa64993b36f00151387fdce25859781c1eb711\r\n8299972879ce911c095668360ea47e0be1dfaf17b62b64ada8a613eaaabd86ea\r\n80f167003759e598fcd7cb868d90e60c77af4da5971afc9cda1f552d1325d2d7\r\nd8b902568386f588fb2d42a77cd39062ada13c9a3fed0adf20ab6510f3b4a681\r\n2b44b68e36c30aa9096429eeb0456e3b34b09dc3ea2ce0bd81aee2393bb3cfe4\r\nf5d01d8ebee528426c2312469e593beca132a1ecc2c664582852d400f055d24a\r\nd458a1459e865ba6faeca30447fba1f7813cf8e3e5e4c454c4d93d1a2b345805\r\nd8a5afdf8311eb92eae60c9774fc1b0b138f436affe99b2c64dbe93d8c07fcce\r\nfc4932314471c91434fde050e85967de31701e0b391440c1c5f9aa5d6fde615d\r\n38450cf934121c9f92785beffb73602919014752310960768324029d9ba91e13\r\n5562c6ad5765792def276e009395a57a6bf841c87cddefb6f8e8d75b74076e83\r\nca15d149f53a51592c80c57e64de73e090777749422525d22b3b096a1ae75a4a\r\na94693776f14544219fca02959c2d2d095014a9ef2dd0deb4a68af4f39fb44bb\r\n388021747b85453adff2680c8a0e13e230f4eeada1a1055e3fb8e09800d4fb79\r\n72db19a5ccc7e378e72bd3cf8339280fc47f05b5ff65b1fb3893be6369a5c8bf\r\n326d297b441a40bb3f53bb55cb727e0fbed422470977ca167b1c919029be746b\r\n3243e67a2ebad9bfd8746d7c2d48eb8a7241fd09ca19c4c9adfc08fa4923c212\r\nef5db8b473e279620207777c42ef9ad14adf8b100ceb20dc4f7e1bd5271ecd3c\r\nb740a321546671ad7ebdf540189cbea05a2307b0033f2e17535c23bb38217a91\r\nfc21a125287c3539e11408587bcaa6f3b54784d9d458facbc54994f05d7ef1b0\r\n232adaf8b3b2680c04df97c19c7d81edeb80444936741859b1a1f27245ed90c0\r\na547cff9991a713535e5c128a0711ca68acf9298cc2220c4ea0685d580f36811\r\n4b04d68c3fb64a945cc674a6153bef936cddf7562060ba0f6491823e65832df2\r\nf03d30b1f691c64ddc8c044cfe5b7f2e41c997c032bbb40606fdbae010d3141d\r\na1e74120c32162d18c0245a8390360e9b63a11887e396c270e0ed35296952598\r\n39560737786ab991c38a607b520bdc7c5345135120cfb54343d7e7f6da5e2632\r\n4089f000d8345012ec48d4e6ab6462d4310dce81a152b185cd9f8a5ac8ae7088\r\nd1d691babaacf66e54d48439cc667be062f05c1a1d08c67e6c0a185010f30c73\r\nb6b4c61084bd6cb38cadf548a7463b5a053ee989bbf91dff0199338f8344f848\r\n1bed9c089a3c1dd81a17834827129022f8cf417e86e6f9f15bd43ed3ac62e303\r\n320003269cedbd3f177fefcda92050272d94a90ceeae5a235d95de67912c0408\r\n2c6b753a8dd1cf1e286c1c8db9c42e20be341086006788cfda6a5ab36c3b83db\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 16 of 18\n\ne68c0df322df91bcc0d1b50881238728464a2bc05705925745df44877db2b6c4\r\nb4885bb4b4d07c2fc343a50ddb3eaf7f4f22ffca4fc795797e71457d5660524f\r\nf186303dbd218f7aef0967090b2264d108f8656ca44958f8a4264d49304b1754\r\n9470f972c6ce0d7c41e9d2caad45f0d9adf172336fe158e747cdd1b86a7514a9\r\nb9e38a709c123ef5c20af347dc16376ae0f7fab6b49eb35f434b1572eb785193\r\n53b0d542af077646bae5740f0b9423be9fb3c32e04623823e19f464c7290242f\r\n3f22ede88af7e0c37c8ac521605540bc186ae10db639ee643cd7112e40f64806\r\n378b83dca8c8e59b61d88368995030f987baa6b2da1246a20b276a9a89400488\r\nd1e2e287c96c290e161c553d99a115e7d72f83f23c850621169a27cca936f51b\r\n5bbc2e4991497b97eae9814dc29d7ee17a12cfabce2ed76d501da313a3f63ff5\r\n204d74023d3a943128369831e2a5e18e90d940373481b38c70909575ed483d2d\r\na0c4e90970c692d775067bf02dff5ea061afe0d6a0ccd4de93ffe582fd31ce49\r\n063d6865a097b0a674b3cfa483ef6e8d87bda0b46234dc916e8cb62ae14e1a69\r\n49a33a61fdb463fabb1e09c8bc0d16c84791d2b51ab11ee368f757e968b55c02\r\n26d51dce0caeb68a9787923b3e3a61704ee3e0ca933c07ef6f2c266eae23610a\r\ndf3f2893b0493532e5a22903d3f4561152f1770f8614fe3ab2c00fb4fdaa9b74\r\n09a4a3eeb7d9ff6b2bcaf85f163b6efa43c3723373bf038edc25142335b4c5d7\r\n2c9b47928c207ea67f08658f61d1aafedd8443e6640c5fb69249a127295ba5db\r\ne4cd8ecb1ac4f1cd4230269de167e605c2ecfaf269569234a79b526820baf352\r\nd855daede0b97277d68e04c73ef0f2a36690faa77539914aa7948ee045427042\r\nb9cd37a65e73cfcdf689c1581c794d545ad01d1efe78cdc8b565345c2ab4bf66\r\n9f5b35edb30ad89c8eb3cf177ff0514b357b4e454661b7911242633aa6899e56\r\nf5548ccbb81261f03b643b0f5204b609430af6c8d40a50859768db941a99f713\r\n5126379962961347c0573fa2de2de95b0cdb75d636fd0e39c345fb1d967b54d5\r\n8c064adc47d8b36363262d2d0299f8d688621e38678b84e038b04f6da24af115\r\nStealer module\r\n988565f1618eafa7a7447b3c3b1785d07bfde0db37e0da3ee11de1a1ebf09725\r\nSysinfo module:\r\n47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399\r\nC2 domains\r\nantyparkov.site\r\naplihartom.com\r\naprettopizza.world\r\narsimonopa.com\r\naytobusesre.com\r\ndrendormedia.com\r\ndrifajizo.fun\r\nfasestarkalim.com\r\nfluraresto.me\r\nfrotneels.shop\r\nganowernis.com\r\nganstaeraop.shop\r\nginzbargatey.tech\r\ngoalcempiz.com\r\ngrebiunti.top\r\ngrizmotras.com\r\ngrunzalom.fun\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 17 of 18\n\nilloskanawer.com\r\njarinamaers.shop\r\njertacco.com\r\nkokcheez.website\r\nlemonimonakio.com\r\nmastralakkot.live\r\nmazdakrichest.com\r\nmiistoria.com\r\nminndarespo.icu\r\nniceburlat.me\r\nnimeklroboti.info\r\npeermangoz.me\r\npewwhranet.com\r\nplwskoret.top\r\npopfealt.one\r\npostolwepok.tech\r\nqaliharsit.tech\r\nriverhasus.com\r\nsaicetyapy.space\r\nscifimond.com\r\nskinnyjeanso.com\r\nsluitionsbad.tech\r\nstartmast.shop\r\nstratimasesstr.com\r\ntitnovacrion.top\r\ntrasenanoyr.best\r\nwikistarhmania.com\r\nwinarkamaps.com\r\nworkspacin.cloud\r\nwrankaget.site\r\nzumkoshapsret.com\r\nRC4 keys\r\n12345\r\neNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6\r\nxkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8\r\nSource: https://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nhttps://www.bitsight.com/blog/latrodectus-are-you-coming-back\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitsight.com/blog/latrodectus-are-you-coming-back"
	],
	"report_names": [
		"latrodectus-are-you-coming-back"
	],
	"threat_actors": [
		{
			"id": "62585174-b1f8-47b1-9165-19b594160b01",
			"created_at": "2023-01-06T13:46:39.369991Z",
			"updated_at": "2026-04-10T02:00:03.304964Z",
			"deleted_at": null,
			"main_name": "TA578",
			"aliases": [],
			"source_name": "MISPGALAXY:TA578",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0",
			"created_at": "2024-11-01T02:00:52.694476Z",
			"updated_at": "2026-04-10T02:00:05.410572Z",
			"deleted_at": null,
			"main_name": "TA578",
			"aliases": [
				"TA578"
			],
			"source_name": "MITRE:TA578",
			"tools": [
				"Latrodectus",
				"IcedID"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b4f83fef-38ee-4228-9d27-dde8afece1cb",
			"created_at": "2023-02-15T02:01:49.569611Z",
			"updated_at": "2026-04-10T02:00:03.351659Z",
			"deleted_at": null,
			"main_name": "TA577",
			"aliases": [
				"Hive0118"
			],
			"source_name": "MISPGALAXY:TA577",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "22d450bb-fc7a-42af-9430-08887f0abf9f",
			"created_at": "2024-11-01T02:00:52.560354Z",
			"updated_at": "2026-04-10T02:00:05.276856Z",
			"deleted_at": null,
			"main_name": "TA577",
			"aliases": [
				"TA577"
			],
			"source_name": "MITRE:TA577",
			"tools": [
				"Pikabot",
				"QakBot",
				"Latrodectus"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434603,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a33ac58a1d90568716c289434a5afcced93c482e.pdf",
		"text": "https://archive.orkl.eu/a33ac58a1d90568716c289434a5afcced93c482e.txt",
		"img": "https://archive.orkl.eu/a33ac58a1d90568716c289434a5afcced93c482e.jpg"
	}
}