Arachnid alert: Latrodectus loader crawls through defences — Albert Zsigovits VMRay скачать в хорошем качестве

Arachnid alert: Latrodectus loader crawls through defences — Albert Zsigovits VMRay

Arachnid alert: Latrodectus loader crawls through defences Presented at the VB2025 conference in Berlin, 24 - 26 September 2025. ↓ Slides: N/A ↓ Paper: https://www.virusbulletin.com/uploads... → Details: https://www.virusbulletin.com/confere... ✪ PRESENTED BY ✪ • Albert Zsigovits (VMRay) ✪ ABSTRACT ✪ Meet the cunning Latrodectus loader, which first emerged in 2023 and has become a "go-to" tool for cybercriminals in the past year. Mainly functioning as a downloader, it employs advanced anti-analysis, evasion techniques, and encryption schemes, which all have hardened the loader to evade traditional malware detection. Since its inception, the loader has undergone rapid development, evolving from version v1.1 to its current iteration, version v1.9, demonstrating the malware authors' commitment with its constant stream of improvements. With strong ties to the now-defunct IcedID loader, Latrodectus is gradually filling the void left by its predecessor's take-down due to Operation Endgame, carried out by Europol (EC3). This presentation explores the inner workings of Latrodectus, analysing its anti-analysis features, decoding its malware configuration settings, providing guidance on its mitigation, and conclusions drawn from its usage of BruteRatel C2, the controversial red-team tool, deployed in recent Latrodectus delivery chains. The loader also employs many sandbox evasion techniques, some of which were most likely designed to evade traditional sandbox solutions. One gripping functionality is its self-deletion mechanism, adapted from a public proof-of-concept GitHub repository, showcasing the malware authors' ability to repurpose open-source tools, which is becoming more of a problem due to its simple adaptability to meet malicious ends. As each Latrodectus campaign is denoted by a distinct group ID, we believe the loader may be gravitating towards a MaaS (malware-as-a-service) model. By examining its rapid development cycle and potential trajectory during 2024 and 2025, we offer insights into its growing popularity as a preferred downloader in the cybercrime ecosystem.