{
	"id": "6d742c2f-b750-4479-b583-7f5216d5d35a",
	"created_at": "2026-04-06T02:11:58.753572Z",
	"updated_at": "2026-04-10T03:20:56.69271Z",
	"deleted_at": null,
	"sha1_hash": "f9bc485f490ce7b288bdf015e64e7c569dd51f2e",
	"title": "Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8113946,
	"plain_text": "Latrodectus Malware Masquerades as AhnLab Security Software to\r\nInfect Victims\r\nPublished: 2024-08-29 · Archived: 2026-04-06 01:33:27 UTC\r\nTABLE OF CONTENTS\r\nMeDExt.dllCommand \u0026 Control Infrastructure AnalysisConclusionNetwork ObservablesHost Observables\r\nDuring a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control (C2)\r\nserver at 103.144.139.]189 after pivoting on the TLS certificates. Communicating with this server was a file named\r\nMeDExt.dll, detected as the downloader by multiple vendors in VirusTotal.\r\nLeveraging this discovery, we were able to identify additional IP addresses and domains associated with the distribution of\r\nLatrodectus malware.\r\nLatrodectus is a downloader that functions as a backdoor, allowing threat actors to execute remote commands, gather\r\ninformation from compromised machines, and deploy additional malicious payloads, the most recent being Brute Ratel C4.\r\nIn this blog post, we will examine the malicious DLL and then dive into the C2 infrastructure we uncovered, including the\r\ncertificate pivot and the associated domains identified during our research.\r\nMeDExt.dll\r\nUnfortunately, we don’t have the initial access method for this attack campaign, but as past reports suggest, phishing and\r\nmalicious ads are likely entry points into networks.\r\nThe DLL file that caught our attention, \"MeDExt.dll,\" mimics the legitimate MeD Engine Extension from AhnLab Smart\r\nDefense. Given that this malicious file is a DLL, it's plausible that the legitimate parent executable was bundled with the\r\nLatrodectus malware or that this was a targeted attack aimed at a victim known to use AhnLab's services.\r\nFigure 1: VirusTotal results for MeDExt.dll (Source: VirusTotal)\r\nSpoofing a well-known anti-virus vendor increases the malware’s stealth and the likelihood of bypassing security measures,\r\nreinforcing the importance of scrutinizing renamed files.\r\nBelow is the file signature info. Note the DLL is not signed.\r\nhttps://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims\r\nPage 1 of 7\n\nFigure 2: VirusTotal Signature Info for the suspect DLL\r\nThe PDB path (provided below) within the MeDExt.dll file offers a glimpse into the environment used by the threat actor(s)\r\nC:\\Build\\Project\\Medicine\\Engine\\2.0_MainTrunk\\building\\build\\Project\\Medicine\\Engine\\2.0\\Trunk\\Build\\AMD64\\free\\MeDExt.pdb\r\nThe DLL has four exports with differing addresses, all following similar naming paths beginning with “MeDExt..”\r\nFigure 3: Obligatory IDA screenshot showing the DLL’s exports\r\nWe could not identify any new TTPs during the analysis of the malicious file. This sample of Latrodectus employed familiar\r\ntechniques, such as using the Windows Component Object Model (COM) to set a scheduled task for persistence.\r\nNext, we'll examine the communication with the command and control infrastructure.\r\nCommand \u0026 Control Infrastructure Analysis\r\nAfter running the file through multiple sandboxes, we observed Lactrodecuts attempting to communicate with the following\r\ndomains + URLs:\r\nstripplasst.]com/live/\r\ncoolarition.]com/live/\r\nstripplasst.]com was registered through the OwnRegistrar, Inc. registrar, and coolarition[.]com through PDR Ltd. This\r\nconsistent use of a single registrar should be used as a low-confidence indicator in tracking and attributing related malicious\r\nactivity.\r\nBoth domains were unavailable during analysis, though we captured the first POST request to the C2 registering the victim's\r\ndetails in a PCAP, as seen below.\r\nThe IP address, 103.144.139.]189 for a short period resolved to the domain riscoarchez[.]com, also identified in a\r\nLatrodecuts attack paired with Brute Ratel C4 by Rapid7.\r\nhttps://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims\r\nPage 2 of 7\n\nFigure 4: PCAP showing the initial registration request to one of the C2 domains.\r\nThe server that initiated our investigation is hosted on the Gigabit Hosting Sdn Bhd ASN.\r\nFigure 5: Initial IP that began our research (Link: here)\r\nAs reported by ProofPoint in their joint blog post with Team Cymru, we can see the server also has ports 443 and 8080 open,\r\nwhich were one of the criteria used to search for additional C2 servers in the article.\r\nMoving to the SSL History, we noticed a semi-unique certificate on port 443. We say “semi” because many malware\r\nfamilies use the “Internet Widgits Pty Ltd” Issuer Organization name in their self-signed certificates.\r\nhttps://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims\r\nPage 3 of 7\n\nFigure 6: Hunt certificate data for 103.144.139.]189 (Try it here)\r\nThe complete certificate fields are below:\r\nSubject Common Name: localhost\r\nSubject Country: AU\r\nSubject Organization: Internet Widgits Pty Ltd\r\nSubject Organisational Unit: N/A\r\nSubject Locality: N/A\r\nSubject State: Some-State\r\nWe can use Hunt's Advanced Search feature to craft a query that will assist us in identifying servers using similar certificates\r\nas the above.\r\nIn the case of the Latrodectus C2 certs, we came up with the following query based on the JA4X hash and Subject Common\r\nName:\r\nja4x:\"96a6439c8f5c_96a6439c8f5c_795797892f9c\" AND subject.common_name:\"localhost\"\r\nhttps://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims\r\nPage 4 of 7\n\nFigure 7: Hunt Advanced Search Results for the suspicious Latrodectus linked certificate (Try it out here)\r\nThe query returns just 24 results, suggesting we're on the right track in identifying Latrodectus servers. However, it's\r\nimportant to note that the certificate fields we're analyzing are commonly used for legitimate purposes and by other threat\r\nactors.\r\nWe cannot confirm that all results are linked to the malware; further investigation is required.\r\nPoking around for similar server + certificate combinations on the same ASN as our initial IP, we found a malicious file\r\nmimicking the Google Authenticator app, also associated with Latrodectus communicating with 103.144.139.]182.\r\nThe domain spikeliftall.]com resolves to the IP mentioned above, registered through PDR Ltd.\r\nFigure 8: Another Lactrodectus C2 on the same ASN (Source: VirusTotal)\r\nhttps://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims\r\nPage 5 of 7\n\nAgain, this server also had port characteristics (443 \u0026 8080) and a matching certificate seen with other command and\r\ncontrol infrastructure.\r\nOn Aug 13, 2024, Symantec also noticed this campaign releasing a Protection Bulletin identifying the initial access vector as\r\nphishing.\r\nAfter submitting a few IP addresses to VirusTotal for analysis, another server with a file detected as Latrodectus caught our\r\nattention.\r\nFigure 9: Additional suspicious IP associated with Latrodetus\r\nThe IP, hosted on BlueVPS OU, resolves to a single domain, worlpquano.]com registered through HOSTINGER, and used\r\nCloudFlare services in mid-July 2024.\r\nFigure 10: Third IP/domain associated with Latrodecuts scan results (Source: VirusTotal)\r\nConclusion\r\nhttps://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims\r\nPage 6 of 7\n\nLatrodectus’ tactic of impersonating legitimate security software highlights the persistent challenge of distinguishing\r\nbetween trusted and malicious files. Effective defense against such threats requires continuous monitoring and detailed\r\nanalysis of network activity.\r\nRequest a demo today to get a closer look at how the Hunt platform can strengthen your defenses.\r\nNetwork Observables\r\nIP Address Domain(s)\r\nDomain\r\nRegistrar\r\nASN Notes\r\n103.144.139.]189:443 riscoarchez.]com Own Registrar\r\nGigabit Hosting\r\nSdn Bhd\r\nInitial IP that started\r\ninvestigation.\r\n188.114.97.]7:443 stripplasst.]com Own Registrar CloudFlare C2 for MeDExt.dll\r\n188.114.97.]7:443,\r\n84.32.41.]12:443\r\ncoolarition.]com PDR Ltd.\r\nCloudFlare,\r\nHostgnome Ltd\r\nC2 for MeDExt.dll\r\n103.144.139.]182:443 spikeliftall.]com PDR Ltd.\r\nGigabit Hosting\r\nSdn Bhd\r\nJarm fingerprint + HTML\r\nresponse hash\r\n45.129.199.]25:443 worlpquano.]com HOSTINGER BlueVPS OU\r\nIdentified as a possible\r\nLatrodectus C2 by Symantec\r\nHost Observables\r\nFile Name SHA-256 Hash Notes\r\nMeDExt.dll 23546ec67474ed6788a14c9410f3fc458b5c5ff8bd13885100fb4f3e930a30bf\r\nSeen communicating with\r\nriscoarchez.]com/live/\r\nstripplasst.]com/live/\r\ncoolartiion.]com/live/\r\nGoogleAuthSetup.ex 62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830\r\nSeen communicating with\r\nsteamcommunity.]com/profiles/76\r\ngodfaetret.]com/live/\r\nspikeliftall.]com/live/\r\nconfrontation_d46a184c.exe a459ce4bfb5d649410231bd4776c194b0891c8c5328bafc22184fe3111c0b3e7\r\nSeen communicating with\r\nworlpquano.]com/live/\r\ncarflotyup.]com/live/\r\nSource: https://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims\r\nhttps://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims"
	],
	"report_names": [
		"latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims"
	],
	"threat_actors": [],
	"ts_created_at": 1775441518,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9bc485f490ce7b288bdf015e64e7c569dd51f2e.pdf",
		"text": "https://archive.orkl.eu/f9bc485f490ce7b288bdf015e64e7c569dd51f2e.txt",
		"img": "https://archive.orkl.eu/f9bc485f490ce7b288bdf015e64e7c569dd51f2e.jpg"
	}
}