For this research, we partnered with Proofpoint’s Threat Research team in a collaborative effort to provide a comprehensive overview of the Latrodectus loader malware.
Latrodectus was first identified in the wild in October 2023 and was detected by Proofpoint being used for email threat campaigns in late November 2023. Whilst it shares some similarities to IcedID, Latrodectus is assessed to be a wholly new malware family, and our joint analysis indicates the IcedID developers likely created it.
Other key points from the research include:
While use of Latrodectus decreased in December 2023 through January 2024, Latrodectus use increased in campaigns throughout February and March 2024.
It was first observed in Proofpoint data being distributed by threat actor TA577 but has been used by at least one other threat actor, TA578.
Latrodectus is an up-and-coming downloader with various sandbox evasion functionality.
Latrodectus shares infrastructure overlap with historic IcedID operations.
While investigating Latrodectus, researchers identified new, unique patterns in campaign IDs designating threat actor use in previous IcedID campaigns.
The full report can be read here.
Conclusion
We share Proofpoint’s assessment that Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID.
This research highlights the value of collaborative work between commercial threat intelligence companies, piecing together distinct viewpoints to provide a more complete picture of malicious activities. We hope to continue these collaborations to enable defenders and threat analysts to shut down cybercriminals.