Latrodectus Historical Bot Infections Special Report.
Description
On the 28th May 2025, the Shadowserver Foundation released IcedID/Latrodectus Historical Bot Infections Special Report. in respect of the jurisdiction.
The information contained in the Latrodectus Historical Bot Infections Special Report was provided to the Shadowserver Foundation by the Law enforcement agencies involved in the multinational coordinated cyber operation called Operation Endgame Season 2.0., announced on the 23rd May 2025.
The Latrodectus Historical Bot Infections Special Report has a default severity level of 'Critical'.
This is the third Special Report released in relation to Operation Endgame. The report identifies IP addresses and computer systems within the jurisdiction believed to have been infected during the period 26th April 2025 and the 20th May 2025 with the following malware:-
| No. | Malware | Description | Advisory |
|---|---|---|---|
| 1. | Latrodectus Malware. | The Latrodectus malware is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware, first observed in October 2023, has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by the same individual, suspected of creating the IcedID (aka BokBot) Malware. | Microsoft Security Intelligence - Trojan:Win32/Latrodectus |
| 2. | IcedID Malware. | The IcedID (aka BokBot) malware was originally classified as banking malware when first observed in 2017. It acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the same individual, suspected of created the Latrodectus backdoor malware. | Microsoft Security Intelligence - Trojan:Win32/IcedID |
Operation Endgame
Between the 30th Nov 2024 and the 28th May 2024, Law enforcement agencies and judicial authorities, coordinated by Europol and Eurojust (European Union Agency for Criminal Justice Cooperation), launched the multinational coordinated cyber operation called Operation Endgame.
The operation targeted the malware used to launch ransomware attacks.
Malware 'droppers' and 'loaders' are used to gain access to a victim’s computer, either dropping ransomware or other malicious software used to collect and steal personal and financial login information.
| No. | Dropper | Description |
|---|---|---|
| 1. | IcedID. | The IcedID (aka BokBot) malware was originally classified as a banking malware when first observed in 2017. It acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the same individual, suspected of created the Latrodectus backdoor malware. |
| 2. | SystemBC. | SystemBC is a multi platform proxy malware active since August 2019. It creates SOCKS5 network tunnels in the victim’s network and connects to its C2 server using a custom, RC4-encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or mapped into memory. The SystemBC kit, including the C2 panel, server, and malware executables, is sold in underground forums. |
| 3. | Pikabot. | The Pikabot dropper is an emerging malware family that comprises a downloader/ installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options. |
| 4. | SmokeLoader. | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
| 5. | BumbleBee. | This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads. |
Note:
SystemBC Malware as a Service (MaaS) and Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) model.
Ransomware affiliates receive significant payments or dividends for each successful cyberattack, as a consequence, they are motivated to spread the malicious software, rapidly scaling the ransomware operation over a short period of time.
During Operation Engame, Over one hundred (100) servers and domains were seized or takendown.
Operation Endgame Season 2.0
Between the 19th May 2025 and the 22nd May 2025, Law enforcement agencies and judicial authorities, coordinated by Europol and Eurojust, launched the multinational coordinated cyber operation called Operation Endgame 2.0, building upon the success of Operation Endgame.
The operation sought to dismantled key infrastructure behind the malware used to launch ransomware attacks and it also targeted new malware variants and successor groups that re-emerged after Operation Endgame had concluded.
Law enforcement authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets.
€3.5 million in cryptocurrency was seized during Operation Endgame Season 2.0, this brought the total amount seized during Operation Endgame to more than €21.2 million.
The data contained in the IcedID/Latrodectus Historical Bot Infections Special Report was provided to the Shadowserver Foundation by the Law Enforcement agencies involved in Operation Endgame Season 2.0 with the objective of having the information disseminated to National CERTs /CSIRTs and network owners globally, in order to maximise the remediation efforts.
Problem
Shadowserver Foundation - IcedID/Latrodectus Historical Bot Infections Special Report - Tag Index.
Note:
| No. | Tag | Description | Advisory |
|---|---|---|---|
| 1. | Latrodectus. | This tag indicates the presence of the Latrodectus backdoor malware which is written in C that communicates over HTTP using RC4 encrypted requests. The malware, first observed in October 2023, has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by the same individual, suspected of creating the IcedID (aka BokBot) Malware. | Microsoft Security Intelligence - Trojan:Win32/Latrodectus |
| 2. | IcedID. | This tab indicates the presences of the IcedID (aka BokBot) malware which was originally classified as banking malware when it was first observed in 2017. It acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the same individual, suspected of created the Latrodectus backdoor malware. | Microsoft Security Intelligence - Trojan:Win32/IcedID |
Recommendations
Recommended response to report of Latrodectus and IcedID malware infected device.
| No. | Action | Description |
|---|---|---|
| 1. | Full anti-virus scan of infected device. | It is recommended that a full anti-virus scan of the infected device, is performed to ensure the successful removal of either the Latrodectus or IcedID malware and of any Remote Administration Tool (RAT) (backdoor payload) inserted by the malicious actor. The Windows Defender, the built in anti-virus protection included in Microsoft Windows 10 and Windows 11 operating systems can be used or any reputable third party anti-virus software product. Finally, It is recommended that the anti-malware definitions for the Microsoft Defender or reputable third party anti-virus software product used are updated prior to initiating a scan. |
| 2. | Monitor Infected Device. | It is recommended that the device reported to having been infected with either the Latrodectus or IcedID malware is monitored and continues to be monitored after the malware has been successfully removed, for unusual or suspicious activity, to ensure the prevention of reinfection or attempted reinfection of the device. |
| 3. | Credentials. | In the event of the confirmation of either of the Latrodectus or IcedID malware infection, it is recommended that login account passwords are changed and login accounts are monitored for unusual or suspicious activity. |
| 4. | Ingress Filtering. | Ingress Filtering is implemented as a predefined security rule on the perimeter firewall to ensure that incoming packets are actually from the networks from which they claim to originate from, this is a countermeasure against spoofing attacks. |
| 5. | Egress Filtering. | Egress Filtering is implemented as a predefined security rule on the perimeter firewall to monitor and restrict the flow of outbound packets from one network to another to ensure that unauthorised or malicious traffic never leaves an internal network. |
| 6. | Firewall. | The Firewall is an optimal policy enforcement point for protection from malware and advanced persistent threats. The service that utilises Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C2) sites and botnets, preventing data exfiltration. |
| 7. | Access Control Lists. | An Access control list (ACL), contain rules predefined by the Network Administrator that grant or deny access to a system environment. Strict ACLs, should be implemented to control which devices and networks are allowed to access and use the network servers. Networking ACLs manage network access by providing instructions to network switches and routers that specify the types of traffic that are allowed to interface with the network. These ACLs also specify user permissions once inside the network. |
| 8. | Block Outdated & Unused Ports. | On the perimeter firewall, it is recommended that communication from outdated or unused ports, protocols, and applications be blocked. |
Additional Information
Shadowserver Foundation - IcedID/Latrodectus Historical Bot Infections Special ReportMicrosoft - Getting started with Microsoft Defender.
EUROPOL - Largest ever operation against botnets hits dropper malware ecosystem.
EUROPOL - Operation ENDGAME strikes again: the ransomware kill chain broken at its source.
ENFAST - Operation Endgame.
Trustwave - Analyzing Latrodectus: The New Face of Malware Loaders.
Trustwave - HTML Smuggling: The Hidden Threat in Your Inbox.
Malpedia - Latrodectus.
Malpedia - IcedID.