{ "id": "669654e4-4224-4177-92d8-dbc8b07fad1a", "created_at": "2026-04-06T00:09:43.844169Z", "updated_at": "2026-04-10T13:12:26.831445Z", "deleted_at": null, "sha1_hash": "d2e5c1715b8db8d133e6a4b4dd5edcbb2a626a1c", "title": "Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1499047, "plain_text": "Inside Intelligence Center: LUNAR SPIDER Enabling\r\nRansomware Attacks on Financial Sector with Brute Ratel C4 and\r\nLatrodectus\r\nArchived: 2026-04-05 16:53:59 UTC\r\nExecutive Summary\r\nIn October 2024, EclecticIQ analysts observed a malvertising campaign employing an obfuscated JavaScript\r\ndownloader known as Latrodectus [1] to deliver a malicious payload associated with Brute Ratel C4 (BRc4) [2].\r\nAnalysts assess with high confidence that this campaign is very likely linked to LUNAR SPIDER [3], a Russian-speaking, financially motivated threat actor group active since at least 2009. LUNAR SPIDER is responsible for\r\ndeveloping several high-profile malware families, including IcedID [4] and Latrodectus. IcedID malware is often\r\ndistributed via malware-as-a-service (MaaS) offerings, enabling affiliates, such as the ALPHA SPIDER/BlackCat\r\nransomware group [5], to leverage these services for initial compromise. \r\nFigure 1 - Graph view of LUNAR SPIDER malvertising campaign\r\nas seen in EclecticIQ Intelligence Center (click on image to enlarge).\r\nOn May 30, 2024, the FBI and international partners executed Operation Endgame [6], dismantling the command-and-control infrastructures of at least four malware variants, including IcedID (BokBot), Smokeloader [7] ,\r\nPikabot [8], and Bumblebee [9]. EclecticIQ analysts assess with high confidence that LUNAR SPIDER resumed\r\noperations following law enforcement actions that disrupted their infrastructure. In their latest campaigns, the\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 1 of 14\n\nactor leveraged Brute Ratel C4, demonstrating notable adaptability and determination to continue their activities\r\ndespite heightened law enforcement pressure. \r\nConti Leak Revealed the Connection Between LUNAR SPIDER and WIZARD SPIDER members\r\nEclecticIQ analysts assess with high confidence that, based on leaked Conti ransomware group communications\r\nthat was published in 2022, LUNAR SPIDER has established significant connections within the cybercrime\r\necosystem [10]. They have very likely provided initial access to ransomware operators such as WIZARD SPIDER\r\n[11], the Russia-based group behind the TrickBot [12] malware and the Conti Ransomware-as-a-Service (RaaS)\r\n[13]. This collaboration between LUNAR SPIDER and WIZARD SPIDER has facilitated ransomware campaigns\r\nby sharing tools and infrastructures like IcedID and other services for evading EDR/AV detection.  \r\nThe LUNAR SPIDER group was previously led by Vyacheslav Igorevich Penchukov [14], also known by several\r\naliases including Tank, Zeus, Zevs, Father, and TopBro. Penchukov was a key figure in LUNAR SPIDER’s\r\noperations before his arrest in Switzerland in September 2022. Figure 2 shows the leaked conversation between\r\nRussian speaking threat actors angelo and manuel, very likely the developers inside the Conti Ransomware as a\r\nservice (RaaS). Translated conversation revealed that LUNAR SPIDER leader Zeus (Penchukov) was their\r\npartner. \r\nDespite his extradition to the United States and sentencing to 18 years in prison in 2024, LUNAR SPIDER\r\ncontinues to operate, adapting to leadership changes and law enforcement actions with resilience.  \r\nFigure 2 – Conversation between Conti Ransomware\r\n(WIZARD SPIDER) developers.\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 2 of 14\n\nAnalysts assess with high confidence that LUNAR SPIDER maintains affiliations with other ransomware groups,\r\nincluding Nemty [15] (aka: TRAVELING SPIDER) and TA2101 (aka: TWISTED SPIDER) [16], which have\r\nleveraged LUNAR SPIDER's malware IcedID to gain initial access to victim environments. These collaborations\r\nfurther emphasize LUNAR SPIDER's central role as an initial access broker in the cybercrime ecosystem. \r\n \r\nFigure 3 – Relationships of LUNAR SPIDER.\r\nLUNAR SPIDER Threat Actor Switched from IcedID to Brute Ratel C4 Malware  \r\nEclecticIQ analysts assess with high confidence that LUNAR SPIDER has shifted tactics, moving away from their\r\nprevious use of IcedID (BokBot) to now leveraging Latrodectus and Brute Ratel C4 malware. \r\nAnalysts have uncovered that the threat actor group LUNAR SPIDER is behind over 200 malicious infrastructures\r\n(figure 4) associated with both the IcedID and Latrodectus malware families. While these malware operations\r\nwere previously considered separate, they share significant overlaps in their underlying infrastructure. For\r\ninstance, both use SSL certificates with nearly identical issuer details like \"AU,\" \"Some-State,\" and \"Internet\r\nWidgits Pty Ltd.\" Additionally, LUNAR SPIDER consistently employs the same service providers, such as\r\nSHOCK-1 (ASN 395092), across both campaigns. This consistent use of shared providers and similar\r\ninfrastructure highlights how LUNAR SPIDER is efficiently coordinating its malicious activities across different\r\nmalware families. \r\n \r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 3 of 14\n\nFigure 4 – Overlaps of infrastructures between\r\ndifferent malware variants.\r\nThe LUNAR SPIDER-associated downloader, Latrodectus, was observed targeting financial services to deploy\r\nBrute Ratel, signalling a strategic change in their malware deployment approach. This switch highlights the\r\ngroup's continued evolution and adaptation in their cyber operations, as they adopt stealthier attacks. \r\nTracking Latrodectus Infrastructures  \r\nAnalysts utilized the EclecticIQ Threat Intelligence Platform (TIP), Intelligence Center, to extract malicious\r\ninfrastructures that were linked to Latrodectus. According to Open-Source Intelligence, analysts observed more\r\nthan 200 Latrodectus servers that are very likely managed by members of the LUNAR SPIDER threat actor. \r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 4 of 14\n\nFigure 5 – Tracking Latrodectus infrastructures\r\nin Intelligence Center.\r\nFigure 6 highlights the top Autonomous System Numbers (ASNs) linked with previously detected Latrodectus\r\ninfrastructure. ASNs are critical for identifying key service providers that may facilitate cyber threat activity.\r\nLeading the list is BlueVPS OU (AS 62005) with 33 instances, followed by OVH SAS (AS 16276) and The\r\nInfrastructure Group B.V. (AS 60404). Tracking these ASNs provides valuable insight into malicious\r\ninfrastructure, as attackers often rely on specific hosting services to operate attacks or host command and control\r\n(C2) servers. \r\nFigure 6 – Top 10 ASN service owners used by Latrodectus malware.\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 5 of 14\n\nIcedID Malware Enables ALPHV Ransomware Attack, Revealing Shared Infrastructure with\r\nLUNAR SPIDER \r\nIn a campaign observed in October 2023, threat actors linked to ALPHV (also known as BlackCat) executed a\r\nRansomware attack by using IcedID malware as the initial compromise vector. [17] The operation began with a\r\nspam campaign delivering a version of IcedID through a malicious ZIP file containing a Visual Basic Script\r\n(VBS). Upon execution, the IcedID loader installed itself, and the attackers used Impacket’s wmiexec [18] and\r\nRDP for lateral movement, deploying ScreenConnect across systems. The campaign further escalated with the\r\ndeployment of Cobalt Strike beacons for command-and-control (C2) purposes and the use of the CSharp Streamer\r\nRAT [19] to exfiltrate credentials and sensitive data via tools like Rclone [20]. Eight days after the initial breach,\r\nALPHV ransomware was deployed across all domain-joined Windows systems, leading to successful data\r\nencryption and a ransom note being left behind. \r\nFigure 7 – Possible infrastructure sharing between LUNAR SPIDER\r\nand ALPHV/BlackCat Ransomware.\r\nEclecticIQ analysts have uncovered evidence suggesting a very likely connection between LUNAR SPIDER and\r\nALPHV/BlackCat ransomware affiliates. The domain peronikilinfer[.]com, which serves as a command-and-control (C2) server for Latrodectus malware in September 2024 - developed and managed by LUNAR SPIDER -\r\nwas hosted on the IP address 173[.]255[.]204.[]62. In October 2023, ALPHV/BlackCat used another domain,\r\njkbarmossen[.]com, also hosted on the same IP address and functioning as a C2 server for IcedID, another\r\nmalware family developed and managed by LUNAR SPIDER. This overlapping use of the same infrastructures\r\nand malware usage emphasizes that both IcedID and Latrodectus are central to LUNAR SPIDER's operations. The\r\nshared infrastructure indicates that LUNAR SPIDER's malware is enabling ALPHV/BlackCat's ransomware\r\nactivities, highlighting a collaborative relationship between these groups. \r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 6 of 14\n\nThe reuse of infrastructure and overlapping command-and-control assets, evidenced by passive DNS records,\r\nreinforces the theory of coordination between LUNAR SPIDER and ALPHV/BlackCat. LUNAR SPIDER likely\r\nfacilitated initial access through IcedID, which was then leveraged by ALPHV/BlackCat operators to deploy\r\nransomware and exfiltrate sensitive data. These connections, supported by passive DNS evidence, highlight the\r\noperational synergy between the two groups, further bolstering the assessment of shared tactics, techniques, and\r\ninfrastructure. \r\nLatrodectus Malware Targets Financial Services via SEO Poisoning to Deliver Brute Ratel C4 \r\nEclecticIQ analysts observed a Latrodectus downloader variant in a SEO poisoning malvertising campaign against\r\nfinancial services to download and execute the Brute Ratel C4 malware. After execution of Brute Ratel C4, the\r\nmalware communicates through the command-and-control server very likely owned by LUNAR SPIDER\r\nmembers and give them remote access to victim devices. \r\nFigure 8 illustrates the attack flow of the malvertising campaign, which leveraged an SEO poisoning technique to\r\ndeliver its payload. SEO poisoning involves manipulating search engine rankings to display malicious links\r\nprominently, tricking users into clicking them. In this case, victims searching for tax-related content on the Bing\r\nbrowser were redirected to download a malicious, obfuscated JavaScript file named Document-16-32-50.js. \r\nFigure 8 – Execution flow of the Latrodectus Malware. \r\nUpon execution, the JavaScript file retrieved a Windows Installer (MSI) from a remote server, which installed the\r\nBrute Ratel malware. The MSI file, downloaded from 45[.]14[.]244[.]124/dsa.msi, executed via the rundll32.exe\r\nprocess, disguising the malicious DLL (vierm_soft_x64.dll) as a legitimate NVIDIA file. \r\nPersistence Mechanism and Command \u0026 Control (C2): \r\nTo establish persistence, the malware created a registry key entry under: \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 7 of 14\n\nThis enabled it to remain active even after system reboots. After installation, Brute Ratel made multiple\r\nconnections to command and control (C2) servers controlled by the attackers, including bazarunet[.]com,\r\ngreshunka[.]com, and tiguanin[.]com. These C2 servers facilitated communication between the compromised\r\ndevice and the attackers, allowing them to issue commands and control the infected system. \r\nDe-obfuscating the JavaScript File: \r\nThe malicious JavaScript file Document-16-32-50.js was obfuscated as part of the Latrodectus malware family.\r\nAnalysts de-obfuscated the script and revealed its functionality (Figure 7). It was designed to download the MSI\r\npayload from the server, leading to the final stage of the infection. \r\nFigure 9 – De-obfuscated JavaScript file.\r\nOnce the MSI file was downloaded, it dropped Brute Ratel C4 in DLL format at the following location: C:\\Users\\\r\n\u003cuser-name\u003e\\AppData\\Roaming\\vierm_soft_x64.dll. The malware then executed via rundll32.exe, establishing\r\ncommunication with the attacker-controlled C2 servers to maintain control over the victim's device. These C2\r\nservers are central to the attack, enabling further malicious activity or data exfiltration. \r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 8 of 14\n\nFigure 10 – Execution of the Brute Ratel C4 DLL in Sysmon Event Logs.\r\nAnalysts leveraged the MITRE ATT\u0026CK Analysis Tool within the EclecticIQ Intelligence Center to map Lunar\r\nSpider's tactics, techniques, and procedures (TTPs). This mapping is crucial for defenders, as it helps identify the\r\nthreat actor’s operational patterns. By understanding these techniques, security teams can build more effective\r\ndetection and response strategies, enhancing their ability to prevent similar attacks.\r\nFigure 11 – Lunar Spider activates automaticity mapped to\r\nEclecticIQ MITRE ATT\u0026CK Analysis Tool.\r\nIn Figure 11, Intelligence Center's automatic mapping of Lunar Spider's TTPs to the EclecticIQ MITRE ATT\u0026CK\r\nAnalysis Tool showcases the power of intelligence-driven defense. This approach empowers defenders by\r\nproviding clear insights into the adversary's behavior, enabling proactive threat hunting and mitigation efforts\r\nagainst the evolving threat landscape. \r\nThe Power of EclecticIQ Intelligence Center \r\nUncovering Hidden Connections: Detecting previously unknown infrastructure and malware links\r\nbetween threat actors like LUNAR SPIDER and ALPHV/BlackCat using EclecticIQ threat graph views.\r\nThis enables security teams to proactively disrupt coordinated cyber threats before they escalate. \r\nRapid Intelligence Gathering: Aggregating intelligence and IOCs from diverse OSINT sources on\r\nLUNAR SPIDER's tools like IcedID and Latrodectus to deepen insights into their TTPs and infrastructure.\r\nThis accelerates response times and enhances threat mitigation strategies, keeping organizations always\r\none step ahead of attackers. \r\nStrategic TTP Mapping: Utilizing EclecticIQ's MITRE ATT\u0026CK analysis tool to directly map LUNAR\r\nSPIDER's activities to the MITRE framework. This provides a clear understanding of their attack patterns,\r\nallowing organizations to develop better defenses against specific tactics used by the threat actor. \r\nAutomated Data Enrichment: Leveraging automated enrichment features to pivot from known C2\r\nservers and swiftly identify new attacker-controlled infrastructures. This reduces the window of exposure,\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 9 of 14\n\nimproves threat detection accuracy, and strengthens the overall security posture. \r\nYARA Rules\r\nrule CRIME_LOADER_Latrodectus_JS_LunarSpider_Oct2024_01 \r\n{ \r\n    meta: \r\n        author = \"Arda Buyukkaya, EclecticIQ\" \r\n        description = \"Detects JavaScript files associated with the Latrodectus loader, also known as Lotus Loader,\r\nused to download MSI payloads. This activity is linked to the Lunar Spider crime group. The rule identifies\r\nspecific patterns within JavaScript code indicative of malicious loader behavior.\" \r\n        malware_family = \"Latrodectus (Lotus Loader)\" \r\n        last_modified = \"2024-10-15\" \r\n        tags = \"loader, lotus, JavaScript, MSI, LunarSpider, Oct2024\" \r\n    strings: \r\n        $x_installer_reference = \"WindowsInstaller.Installer\" \r\n        $x_encoded_signature = \"/ EGqk1paQjoH4fKsvtaNXM9JYe5QObQ+lkSYqs4NPcrGK\\r\\n// SIG //\r\ne2SS0PC0VV+WCxHl\" \r\n                 // Grouped strings for drive checking and script execution flow \r\n        $s_drive_check = \"i \u003c drives.length\" \r\n        $s_script_path = \"filePath = WScript.ScriptFullName,\" \r\n        $s_script_buffer = \"scriptBuffer = \\\"\" \r\n        // Fallback patterns for JavaScript MSI execution \r\n        $a_msiexec_keyword = {2F 2F 2F 2F 20 20 20 20 76 61 72 20 69 6E 73 74 61 6C 6C 43 6F 6D 6D 61 6E 64\r\n20 3D 20 27 6D 73 69 65 78 65 63 2E 65 78 65} \r\n        $a_comment_block = {2F 2F 2F 2F 20 20 20 20} \r\n    condition: \r\n        // The file must be larger than 256KB, and the following must hold: \r\n        // 1. Either all primary detection strings are present. \r\n        // 2. If no primary strings are found, fallback strings for JavaScript MSI must be present. \r\n        filesize \u003e 256000 and ( \r\n            (all of ($x_installer_reference, $x_encoded_signature) or all of ($s_drive_check, $s_script_path,\r\n$s_script_buffer)) or \r\n            ($a_msiexec_keyword and $a_comment_block) \r\n        ) \r\n} \r\nrule MAL_LOADER_LunarSpider_Lotus_Aug2024_01 \r\n{ \r\n    meta: \r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 10 of 14\n\nauthor = \"Arda Buyukkaya - EclecticIQ\" \r\n        description = \"Detects Lotus loader linked to Lunar Spider threat actor, observed in August 2024.\" \r\n        last_modified = \"2024-08-16\" \r\n        threat_actor = \"Lunar Spider\" \r\n        malware_family = \"Lotus Loader\" \r\n        tags = \"loader, lotus, LunarSpider, August2024\" \r\n    strings: \r\n        $x_debug_function = {e8 [4] 0f b6 40 02 48 83 c4 28} \r\n        $x_process_environment_block = {65 48 8b 04 25 60 00 00 00 c3} \r\n        $x_sleep_interval = {b9 58 02 00 00 f7 f1 8b c2 05 dc 05 00 00 69 c0 e8 03 00 00} \r\n    condition: \r\n        // Ensures the PE import hash matches and all specific detection patterns are present \r\n        pe.imphash() == \"db7aeb75528663639689f852fd366243\"  \r\n        and all of ($x_debug_function, $x_process_environment_block, $x_sleep_interval) \r\n} \r\nIndicators of Compromise (IOCs)\r\nDescription  Indicator \r\nMalvertising\r\nURL \r\nhttps[://]qasertol[.]club/forms-pubs/about-form-w-2/?\r\nmsclkid=58393294f21c1006efe854eff1b652d5\r\nhttps[://]grupotefex[.]com/forms-pubs/about-form-w-4/?\r\nmsclkid=275de1ee6e9c11cb920c879bf6a21339 \r\nLatrodectus JS\r\nfile SH256 \r\n937d07239cbfee2d34b7f1fae762ac72b52fb2b710e87e02fa758f452aa62913\r\n6dabcf67c89c50116c4e8ae0fafb003139c21b3af84e23b57e16a975b7c2341f\r\nfb242f64edbf8ae36a4cf5a80ba8f21956409b448eb0380949bb9152373db981 \r\nMSI\r\nDownloading\r\nURL \r\nhttp[://]45[.]14[.]244[.]124/dsa[.]msi https[://]188[.]119[.]112[.]115/DLPAgent[.]msi\r\nhttp[://]188[.]119[.]113[.]152/CITROEN[.]msi http[://]193[.]32[.]177[.]192/vpn[.]msi\r\nhttp[://]188[.]119[.]112[.]7/das[.]msi\r\nhttp[://]95[.]164[.]17[.]212/BEST[.]msi \r\nMSI files\r\nSHA256  \r\n1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa \r\nea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991 \r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 11 of 14\n\n29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9\r\nc3f8ebc9cfb7ebe1ebbe3a4210753b271fecf73392fef98519b823a3e7c056c7 \r\nLatrodectus\r\nMalware C2 \r\nperonikilinfer[.]com \r\nopewolumeras[.]com \r\neniloramesta[.]com \r\nrestoreviner[.]com \r\nrilomenifis[.]com \r\nisomicrotich[.]com \r\nBrute Ratel\r\nC4 SHA256  \r\n28f5e949ecad3606c430cea5a34d0f3e7218f239bcfa758a834dceb649e78abc \r\n29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9 \r\nc3f8ebc9cfb7ebe1ebbe3a4210753b271fecf73392fef98519b823a3e7c056c7 \r\n1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa \r\nBrute Ratel\r\nC4 C2\r\ndomains \r\ntiguanin[.]com \r\ngreshunka[.]com \r\nbazarunet[.]com \r\nobobobo[.]com \r\nsosachwaffen[.]com \r\nStructured Data\r\nExplore our TAXII collection to integrate valuable research into your security stack. Please note that access\r\nrequires an API key or token. For guidance on how to obtain access and set up the feeds, visit our support page.\r\nAbout EclecticIQ Intelligence \u0026 Research Team\r\nEclecticIQ is a global provider of threat intelligence technology and services. Headquartered in Amsterdam,\r\nthe EclecticIQ Intelligence \u0026 Research Team is made up of experts with decades of experience in cyber security\r\nand intelligence in industry and government.\r\nWe would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.\r\nYou might also be interested in\r\nRansomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries\r\nEclecticIQ Intelligence Center 3.4 is here\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 12 of 14\n\nONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution\r\nReferences\r\n[1]       “Latrodectus: This Spider Bytes Like Ice | Proofpoint US,” Proofpoint. Accessed: Oct. 15, 2024. [Online].\r\nAvailable: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice \r\n[2]       “Brute Ratel C4 (Malware Family).” Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4 \r\n[3]       “LUNAR SPIDER (Threat Actor).” Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/lunar_spider \r\n[4]       “IcedID (Malware Family).” Accessed: Jan. 29, 2024. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.icedid  \r\n[5]       “Alpha Spider (Threat Actor).” Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/alpha_spider  \r\n[6]       “Operation Endgame.” Accessed: Oct. 15, 2024. [Online]. Available: https://www.operation-endgame.com/ \r\n[7]       “SmokeLoader (Malware Family).” Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader  \r\n[8]       “Pikabot (Malware Family).” Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot  \r\n[9]       “BumbleBee (Malware Family).” Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee  \r\n[10]    “Conti Ransomware Group Internal Chats Leaked | Rapid7 Blog,” Rapid7. Accessed: Oct. 15, 2024.\r\n[Online]. Available: https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/  \r\n[11]    “WIZARD SPIDER (Threat Actor).” Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/wizard_spider \r\n[12]    “TrickBot Malware | CISA.” Accessed: Oct. 15, 2024. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-076a  \r\n[13]    “Conti Ransomware | CISA.” Accessed: Oct. 15, 2024. [Online]. Available: https://www.cisa.gov/news-events/alerts/2021/09/22/conti-ransomware\r\n[14] “Office of Public Affairs | Foreign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of\r\nMillions of Dollars in Losses | United States Department of Justice.” Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 13 of 14\n\nhttps://www.justice.gov/opa/pr/foreign-national-pleads-guilty-role-cybercrime-schemes-involving-tens-millions-dollars  \r\n[15] “Nemty (Malware Family).” Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nemty  \r\n[16] “TA2101 Plays Government Imposter to Distribute Malware | Proofpoint US,” Proofpoint. Accessed: Oct. 15,\r\n2024. [Online]. Available: https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us  \r\n[17] “IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment,” The DFIR\r\nReport. Accessed: Oct. 15, 2024. [Online]. Available: https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/  \r\n[18] “Impacket - Red Canary Threat Detection Report,” Red Canary. Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://redcanary.com/threat-detection-report/threats/impacket/  \r\n[19] “csharp-streamer RAT (Malware Family).” Accessed: Oct. 15, 2024. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer  \r\n[20] M. T. Intelligence, “The many lives of BlackCat ransomware,” Microsoft Security Blog. Accessed: Oct. 15,\r\n2024. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/  \r\nSource: https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4\r\n-and-latrodectus\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus" ], "report_names": [ "inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8b7faa58-947b-4530-ab1f-250a0370aabf", "created_at": "2022-10-25T16:07:24.34248Z", "updated_at": "2026-04-10T02:00:04.945921Z", "deleted_at": null, "main_name": "Traveling Spider", "aliases": [ "Gold Mansard" ], "source_name": "ETDA:Traveling Spider", "tools": [ "7-Zip", "AdFind", "LaZagne", "MEGAsync", "Mimikatz", "Nefilim", "Nemty", "Nephilim", "Network Password Recovery", "PsExec", "smbtool" ], "source_id": "ETDA", "reports": null }, { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "1c76f1b6-a05b-4dba-82ea-07011b47c6cd", "created_at": "2023-01-06T13:46:39.201507Z", "updated_at": "2026-04-10T02:00:03.244851Z", "deleted_at": null, "main_name": "TRAVELING SPIDER", "aliases": [], "source_name": "MISPGALAXY:TRAVELING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434183, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d2e5c1715b8db8d133e6a4b4dd5edcbb2a626a1c.pdf", "text": "https://archive.orkl.eu/d2e5c1715b8db8d133e6a4b4dd5edcbb2a626a1c.txt", "img": "https://archive.orkl.eu/d2e5c1715b8db8d133e6a4b4dd5edcbb2a626a1c.jpg" } }