LATRODECTUS Loader Getting Popular Among Cybercriminals, Is It Replacing ICEDID!

Hackers use loaders to bypass security measures and run harmful code in a genuine process’s memory themselves. 

This makes it possible for malware payloads to be quietly loaded into the system without being discovered by any of the many file execution monitoring security solutions.

Cybersecurity researchers at Elastic Security Labs recently discovered that LATRODECTUS loader is getting popular among threat actors.


The malware loader, “LATRODECTUS” was discovered in October 2023, and it shows strong associations with ICEDID. For instance, they both deliver hidden content using an encrypted payload technique and have the same network infrastructure. 

Even though it is a novel family, it brings down big features of post-breach operations through a lightweight, minimalistic codebase. 

Lately, there has been an increase in email campaigns delivering LATRODECTUS, which are built on oversized JavaScript for remote MSI installation via WMI or msiexec.exe.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Given the collapse of QBOT and the decline of ICEDID, these two following new loaders are indicated as filling those gaps with more streamlined designs:-

Initially, a sample called LATRODECTUS disguises itself as TRUFOS.SYS from Bitdefender, necessitating unpacking.

It has a DLL with four exports all at the same address, but it uses arithmetic or bitwise operations on encrypted bytes to hide strings as opposed to previously reported PRNG algorithms.

File version information of packed LATRODECTUS sample (Source – Elastic)

In PEB and CRC32 checks of LATRODECTUS imports for kernel32.dll and ntdll.dll are done dynamically while other DLLs go through wildcard searches and CRC32 validation in the Windows system directory.

This evolving obfuscation technique of the loader is manifest by dynamic import resolution.

After resolving imports, LATRODECTUS performs anti-analysis checks – monitoring for debuggers, validating running process count against OS version thresholds to detect sandboxes and VMs, checking for WOW64 execution, and verifying valid MAC addresses, Elastic security said.

It uses a typo-mutex “runnung” and generates hardware IDs or campaign hashes from volume serial numbers. Based on configurations, it drops copies of itself in AppData or other directories using randomized filenames. 

LATRODECTUS reads existing data files, fetches C2 domains, and then sets up a scheduled “Updater” task for persistence via Windows COM before executing its main command dispatcher thread.

Different alternate data streams are used by LATRODECTUS to delete itself, which is likely to prevent incident response. It also has the ability to encrypt C2 communications with victims using RC4 and receive commands via URLs, COMMAND and CLEARURL. 

The core functionalities include gathering information such as processes and desktop files, executing code in forms such as downloading or launching PE’s, DLLs, or shellcodes, binary updates, and ICEDID delivery.

Similar enumeration, exports, and C2 traffic patterns have been found in its ICEDID component, consequently intimating development connections.

As a support feature for LATRODECTUS, it helps in resetting request counters and randomized beaconing intervals.

For this reason, they put out test runs where payloads were sent between sandboxes using the command dispatcher Flask server.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

1 hour ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

1 hour ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

4 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

5 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

10 hours ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

23 hours ago