Latrodectus (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.latrodectus (Back to overview)

Latrodectus

aka: BLACKWIDOW, IceNova, Latrodectus, Lotus

VTCollection

First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.

References

2026-02-17 ⋅ ⋅ CERT.PL ⋅ CERT.PL
ClickFix in action: how a fake captcha can encrypt an entire company
Latrodectus Supper

2026-01-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2025
Coper FluBot Joker Aisuru Mirai AsyncRAT BianLian Cobalt Strike DCRat Havoc Latrodectus PureLogs Stealer Quasar RAT Remcos Rhadamanthys Sliver ValleyRAT Venom RAT Vidar XWorm

2025-12-10 ⋅ Netresec ⋅ Erik Hjelmvik
Latrodectus BackConnect
IcedID Keyhole Latrodectus

2025-10-10 ⋅ Malcat ⋅ Renaud Tabary
Malcat scripting tutorial: deobfuscating Latrodectus
Latrodectus

2025-09-29 ⋅ The DFIR Report ⋅ The DFIR Report
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Brute Ratel C4 Cobalt Strike Latrodectus

2025-07-14 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2025
Coper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT WarmCookie XWorm

2025-04-03 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
Threat actors leverage tax season to deploy tax-themed phishing campaigns
Brute Ratel C4 CloudEyE Latrodectus Remcos Storm-0249

2025-04-01 ⋅ Reversing Stories ⋅ Hema Loganathan
Latrodectus Malware Delivered via Telegram Bot/Chat API
Latrodectus

2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2024
Coper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc

2024-11-18 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team, Selena Larson, Tommy Madjar
Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape
AsyncRAT Brute Ratel C4 DanaBot DarkGate Latrodectus Lumma Stealer NetSupportManager RAT XWorm

2024-10-30 ⋅ EclecticIQ ⋅ EclecticIQ Threat Research Team
Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus
BlackCat Brute Ratel C4 Latrodectus

2024-10-22 ⋅ Logpoint ⋅ Swachchhanda Shrawan Poudel
Latrodectus: The Wrath of Black Widow
Latrodectus

2024-10-21 ⋅ VMRay ⋅ VMRay Labs Team
Latrodectus: A year in the making
Latrodectus

2024-10-18 ⋅ Forcepoint ⋅ Mayur Sewani
Inside the Latrodectus Malware Campaign Old School Phishing Meets Innovative Payload Delivery
Latrodectus

2024-10-08 ⋅ Trustwave ⋅ Cris Tomboc, King Orande
Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader
Pronsis Loader Latrodectus Lumma Stealer

2024-09-30 ⋅ OALabs ⋅ Sergei Frankoff
Latrodectus Extracting new AES encrypted strings from this RAT
Latrodectus

2024-08-29 ⋅ Netskope ⋅ Leandro Froes
Latrodectus Rapid Evolution Continues With Latest New Payload Features
Latrodectus

2024-08-29 ⋅ Hunt.io ⋅ Hunt.io
Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims
Latrodectus

2024-08-26 ⋅ Netskope ⋅ Leandro Froes
Static Unpacker for Latrodectus
Latrodectus

2024-08-08 ⋅ cyble ⋅ Cyble Research Labs
Double Trouble: Latrodectus and ACR Stealer observed spreading via Google Authenticator Phishing Site
ACR Stealer Latrodectus

2024-08-01 ⋅ Krakz ⋅ Pierre Le Bourhis
Latrodectus dropped by BR4
Brute Ratel C4 Latrodectus

2024-07-24 ⋅ Rapid7 ⋅ Rapid7
Malware Campaign Lures Users With Fake W2 Form
Latrodectus

2024-06-24 ⋅ RevEng.AI ⋅ RevEng.AI
Latrodectus Affiliate Resumes Operations Using Brute Ratel C4 Post Operation Endgame
Brute Ratel C4 Latrodectus

2024-06-17 ⋅ BitSight ⋅ João Batista
Latrodectus are you coming back
Latrodectus

2024-06-13 ⋅ Medium (@zyadlzyatsoc) ⋅ Zyad Elzyat
Inside LATRODECTUS: A Dive into Malware Tactics and Mitigation
Latrodectus

2024-05-21 ⋅ Twitter (@embee_research) ⋅ Embee_research
Tweets on decoding a Latrodectus loader
Latrodectus

2024-05-16 ⋅ ANY.RUN ⋅ ANY.RUN
Malware trend: Latrodectus
Latrodectus

2024-05-16 ⋅ Elastic ⋅ Daniel Stepanic, Samir Bousseaden
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
IcedID Latrodectus

2024-05-09 ⋅ 0x0d4y ⋅ 0x0d4y
[Case Study: Latrodectus] Analyzing and Implementing String Decryption Algorithms
Latrodectus

2024-05-05 ⋅ Github (VenzoV) ⋅ VenzoV
Latrodectus "littlehw"
Latrodectus

2024-04-30 ⋅ 0x0d4y ⋅ 0x0d4y
Latrodectus [IceNova] – Technical Analysis of the… New IcedID… Its Continuation… Or its Replacement?
Latrodectus

2024-04-24 ⋅ Securonix ⋅ Den Iyzvyk, Oleg Kolesnikov, Tim Peck
Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover
Cobalt Strike Latrodectus

2024-04-04 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team, Team Cymru, TEAM CYMRU S2 THREAT RESEARCH
Latrodectus: This Spider Bytes Like Ice
IcedID Latrodectus

2024-04-01 ⋅ Twitter (@embee_research) ⋅ Embee_research
Passive DNS For Phishing Link Analysis - Identifying 36 Latrodectus Domains With Historical Records and 302 Redirects
Latrodectus

2024-03-25 ⋅ embeeresearch ⋅ Embee_research
Latrodectus Deobfuscation - Removal of Junk Comments and Self-Referencing Code
Latrodectus

2024-03-07 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2024-03-07 (THURSDAY): LATRODECTUS INFECTION LEADS TO LUMMA STEALER
Latrodectus Lumma Stealer

2023-12-23 ⋅ IBM ⋅ IBM
IceNova Malware Profile
Latrodectus

2023-12-08 ⋅ Twitter (@Myrtus0x0) ⋅ Myrtus 0x0
Tweet naming the family
Latrodectus

2023-12-07 ⋅ eSentire ⋅ eSentire
DanaBot's Latest Move: Deploying Latrodectus
DanaBot HijackLoader Latrodectus

2023-10-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
IcedID gets Loaded
Latrodectus

Yara Rules

[TLP:WHITE] win_latrodectus_auto (20260504 | Detects win.latrodectus.)

rule win_latrodectus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.latrodectus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b8c2448010000 480301 448b442420 488d542430 488bc8 e8???????? }
            // n = 6, score = 6900
            //   488b8c2448010000     | dec                 eax
            //   480301               | lea                 eax, [esp + 0x68]
            //   448b442420           | dec                 eax
            //   488d542430           | mov                 dword ptr [esp + 0x48], eax
            //   488bc8               | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { 488b542460 488d8c24f0010000 ff15???????? 488d442468 4889442448 488d842480010000 }
            // n = 6, score = 6900
            //   488b542460           | or                  eax, ecx
            //   488d8c24f0010000     | dec                 eax
            //   ff15????????         |                     
            //   488d442468           | mov                 edx, dword ptr [esp + 0x60]
            //   4889442448           | dec                 eax
            //   488d842480010000     | lea                 ecx, [esp + 0x1f0]

        $sequence_2 = { 8b442420 4839442448 7308 8b442448 89442420 448b442420 }
            // n = 6, score = 6900
            //   8b442420             | mov                 eax, dword ptr [esp + 0x40]
            //   4839442448           | dec                 eax
            //   7308                 | arpl                word ptr [eax + 0x104], ax
            //   8b442448             | dec                 eax
            //   89442420             | mov                 ecx, dword ptr [esp + 0x40]
            //   448b442420           | movzx               eax, byte ptr [ecx + eax]

        $sequence_3 = { eb0d 488d842480000000 4889442458 b808000000 486bc000 488b542458 }
            // n = 6, score = 6900
            //   eb0d                 | dec                 eax
            //   488d842480000000     | mov                 ecx, dword ptr [esp + 0x40]
            //   4889442458           | mov                 ecx, dword ptr [ecx + 0x108]
            //   b808000000           | mov                 eax, dword ptr [eax]
            //   486bc000             | dec                 eax
            //   488b542458           | mov                 ecx, dword ptr [esp + 0x30]

        $sequence_4 = { 880424 4863442430 48634c2428 488b542420 4c8b442420 418a0400 }
            // n = 6, score = 6900
            //   880424               | dec                 eax
            //   4863442430           | mov                 ecx, dword ptr [ecx]
            //   48634c2428           | mov                 byte ptr [ecx + eax], 0
            //   488b542420           | dec                 eax
            //   4c8b442420           | arpl                word ptr [esp], ax
            //   418a0400             | dec                 eax

        $sequence_5 = { 8b00 488b4c2430 488b09 c6040100 48630424 488b4c2430 }
            // n = 6, score = 6900
            //   8b00                 | mov                 eax, dword ptr [esp + 0x20]
            //   488b4c2430           | dec                 eax
            //   488b09               | lea                 edx, [esp + 0x30]
            //   c6040100             | dec                 eax
            //   48630424             | mov                 ecx, eax
            //   488b4c2430           | dec                 eax

        $sequence_6 = { 488b442440 48638004010000 488b4c2440 0fb60401 488b4c2440 8b8908010000 }
            // n = 6, score = 6900
            //   488b442440           | lea                 eax, [esp + 0x180]
            //   48638004010000       | dec                 eax
            //   488b4c2440           | mov                 ecx, dword ptr [esp + 0x148]
            //   0fb60401             | dec                 eax
            //   488b4c2440           | add                 eax, dword ptr [ecx]
            //   8b8908010000         | inc                 esp

        $sequence_7 = { 0fbf440438 c1e006 b902000000 486bc903 0fbf4c0c38 0bc1 }
            // n = 6, score = 6900
            //   0fbf440438           | movsx               eax, word ptr [esp + eax + 0x38]
            //   c1e006               | shl                 eax, 6
            //   b902000000           | mov                 ecx, 2
            //   486bc903             | dec                 eax
            //   0fbf4c0c38           | imul                ecx, ecx, 3
            //   0bc1                 | movsx               ecx, word ptr [esp + ecx + 0x38]

        $sequence_8 = { 4883fa0f 7630 48ffc2 488b4d17 488bc1 4881fa00100000 }
            // n = 6, score = 100
            //   4883fa0f             | mov                 ecx, dword ptr [ecx]
            //   7630                 | mov                 byte ptr [ecx + eax], 0
            //   48ffc2               | dec                 eax
            //   488b4d17             | arpl                word ptr [esp], ax
            //   488bc1               | dec                 eax
            //   4881fa00100000       | mov                 ecx, dword ptr [esp + 0x30]

        $sequence_9 = { 0f1145e0 0f1145f0 48894500 41b8ffff1f00 488d55d0 488bcb }
            // n = 6, score = 100
            //   0f1145e0             | dec                 eax
            //   0f1145f0             | mov                 ecx, dword ptr [esp + 0x148]
            //   48894500             | dec                 eax
            //   41b8ffff1f00         | add                 eax, dword ptr [ecx]
            //   488d55d0             | inc                 esp
            //   488bcb               | mov                 eax, dword ptr [esp + 0x20]

        $sequence_10 = { 4180397d 752b 49ffc1 498bc1 4883c428 c3 }
            // n = 6, score = 100
            //   4180397d             | mov                 ecx, dword ptr [esp + 0x40]
            //   752b                 | mov                 ecx, dword ptr [ecx + 0x108]
            //   49ffc1               | mov                 eax, dword ptr [eax]
            //   498bc1               | dec                 eax
            //   4883c428             | mov                 ecx, dword ptr [esp + 0x30]
            //   c3                   | dec                 eax

        $sequence_11 = { 488901 488bc1 c3 488d05cc700b00 48c7410802000000 488901 }
            // n = 6, score = 100
            //   488901               | jmp                 0xffffffd2
            //   488bc1               | je                  0x14
            //   c3                   | dec                 eax
            //   488d05cc700b00       | mov                 edx, dword ptr [esp + 0x60]
            //   48c7410802000000     | dec                 eax
            //   488901               | lea                 ecx, [esp + 0x1f0]

        $sequence_12 = { 410fb6fa 41be04000000 41b470 eb47 410fb6fa b806000000 }
            // n = 6, score = 100
            //   410fb6fa             | dec                 eax
            //   41be04000000         | lea                 edx, [esp + 0x30]
            //   41b470               | dec                 eax
            //   eb47                 | mov                 ecx, eax
            //   410fb6fa             | dec                 eax
            //   b806000000           | mov                 eax, dword ptr [esp + 0x40]

        $sequence_13 = { 480fafc2 480faf542428 4c03e0 48d3eb 49d3ec 4803fa }
            // n = 6, score = 100
            //   480fafc2             | dec                 eax
            //   480faf542428         | lea                 eax, [esp + 0x68]
            //   4c03e0               | dec                 eax
            //   48d3eb               | mov                 dword ptr [esp + 0x48], eax
            //   49d3ec               | dec                 eax
            //   4803fa               | lea                 eax, [esp + 0x180]

        $sequence_14 = { 4883ec60 488b05???????? 4833c4 4889442458 4d8bf1 498bd8 }
            // n = 6, score = 100
            //   4883ec60             | mov                 eax, dword ptr [esp + 0x20]
            //   488b05????????       |                     
            //   4833c4               | dec                 eax
            //   4889442458           | cmp                 dword ptr [esp + 0x48], eax
            //   4d8bf1               | jae                 0xf
            //   498bd8               | mov                 eax, dword ptr [esp + 0x48]

        $sequence_15 = { 448bc3 8bda 41f7e0 418bc3 4183c304 482bc8 }
            // n = 6, score = 100
            //   448bc3               | dec                 eax
            //   8bda                 | arpl                word ptr [eax + 0x104], ax
            //   41f7e0               | dec                 eax
            //   418bc3               | mov                 ecx, dword ptr [esp + 0x40]
            //   4183c304             | movzx               eax, byte ptr [ecx + eax]
            //   482bc8               | dec                 eax

    condition:
        7 of them and filesize < 2467840
}

Download all Yara Rules

Latrodectus Propose Change

References

Yara Rules

Latrodectus