Security researchers have identified a new loader named “Latrodectus,” suspected to be a successor to the IcedID malware [7].


Since November 2023 [1] [2] [4] [5] [6] [7] [8] [9], Latrodectus has been detected in malicious email campaigns [5] [6] [7], with nearly a dozen campaigns associated with it since February 2024. This malware, primarily utilized by initial access brokers (IABs) [3] [8], functions as a downloader to retrieve payloads and execute commands [3]. While initially thought to be a variant of IcedID [3] [7], further analysis confirmed Latrodectus as a distinct malware likely developed by the same creators [3]. It has been linked to threat actors TA577 and TA578 in various campaigns, with distribution methods including contact forms and legal threats [3]. Latrodectus exhibits dynamic resolution of Windows API functions [3], evasion techniques [1] [3] [7], and communication with command-and-control servers [3] [8]. Team Cymru identified tiered C2 servers and patterns in their setup [3], suggesting a connection between Latrodectus and IcedID [3]. Ongoing development in Latrodectus samples has been noted [3], with researchers anticipating increased use by threat actors, especially those previously delivering IcedID [3].


Cybersecurity experts warn of Latrodectus’ potential proliferation and evolving threat to organizations worldwide [4], emphasizing the need for vigilance and proactive security measures [4]. It is predicted that Latrodectus will be increasingly used by financially motivated threat actors [2], particularly those previously involved in distributing IcedID [2]. The proliferation of Latrodectus poses significant risks to organizations [1], particularly in industries like finance [1], healthcare [1], and government [1], due to its downloader capabilities and sophisticated distribution tactics [1]. Organizations are advised to enhance employee training on phishing tactics and monitor systems for indicators of compromise associated with Latrodectus [1]. Concerns have been raised about the future use of Latrodectus in cybercriminal campaigns due to its advanced evasion capabilities and malicious payload [9].