Latrodectus

Danabot operators upload other malware to their infrastructure for further spreading.

It was first reported in November 2023 being distributed by TA577 in a number of phishing campaigns. In January 2024, it was reportedly also being used by TA578.

Tax and IRS-themed phishing emails delivering malicious PDF attachments leading to URL redirects and script downloads

In this campaign, messages contained URLs which resolved to a website with a search:query link that pointed to a Microsoft Shortcut (LNK) file.

On 28 November 2023, Proofpoint observed the last TA577 Latrodectus campaign. The campaign began with thread hijacked messages that contained URLs leading to either zipped JavaScript files or zipped ISO files. | This actor typically uses contact forms to initiate a conversation with a target.

Latrodectus is a downloader used by adversaries to execute arbitrary commands and deliver additional payloads

the first observed endpoint behavior was a PowerShell command reaching out to the URL https[:]//rgbw[.]live/

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

Using cscript.exe to execute a command containing //e:Jscript in this way gives us a detection opportunity. Detection opportunity: Instances of wscript.exe or cscript.exe to run/interpret malicious JScript payloads

The inclusion of the “Browser check identificate:” prompt and a subsequent change made to the RunMRU registry key indicates this likely uses a paste-and-run fake CAPTCHA lure for initial execution.

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

Since Latrodectus is frequently sideloaded or injected into a process like explorer.exe for execution

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

Since Latrodectus is frequently sideloaded or injected into a process like explorer.exe for execution

EDDIESTEALER is capable of deleting itself through NTFS Alternate Data Streams renaming, to bypass file locks... SetFileInformationByHandle on the handle with the FILE_DISPOSITION_INFO.DeleteFile flag set to TRUE

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

File Hash (SHA-256) 16474e9e4773fbc1e0b48a5025fad31b7f084b1beffb9a42687b4d01979885fe Dave-crypted IceNova

Following a successful connection to https[:]//rgbw[.]live/ , msiexec.exe , spawned the process NVIDIA Notification.exe

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Brute Ratel C4 can use LDAP queries, net group "Domain Admins" /domain and net user /domain for discovery. OilRig has run net group "domain admins" /domain and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim. Wizard Spider has identified domain admins through the use of net group "Domain admins" /DOMAIN.

It has a range of capabilities, including gathering system information and delivering additional payloads like IcedID.

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

AdFind can enumerate domain users. APT41 used built-in net commands to enumerate domain administrator users. BloodHound can collect information about domain users, including identification of domain admin accounts.

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

BS2005 uses Base64 encoding for communication in the message body of an HTTP request... Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values... RDAT can communicate with the C2 via base32-encoded subdomains.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

Latrodectus is a downloader used by adversaries to execute arbitrary commands and deliver additional payloads... In May 2025, some samples reportedly went on to deliver LummaC2.

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

Examples include: "FIN4 has used HTTP POST requests to transmit data," "SolarWinds Compromise, APT29 used HTTP for C2 and data exfiltration," and "PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server."