At the end of May 2024, the largest ever operation against botnets, dubbed Operation Endgame, targeted several botnets including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. This operation significantly impacted the botnets by compromising their operations and shutting down their infrastructure. Although Latrodectus was not mentioned in the operation, it was also affected and its infrastructure went offline. As pointed out in this article by Proofpoint and Team Cymru S2, the infrastructure of Latrodectus and IcedID overlapped with each other.
Latrodectus is a loader capable of downloading and executing additional payloads and modules to extend its own functionally. Active since at least October 2023, this malware is usually distributed through email spam campaigns, primarily by two threat actors known as TA577 and TA578.
In this article we provide a technical analysis of Latrodectus and some insights about its victims up until Operation Endgame.
Latrodectus bot analysis
Upon execution, Latrodectus resolves all needed Windows APIs by hash, performs checks to determine if it is running inside a sandbox, and checks for other instances of itself to avoid infecting the same machine twice. If the system passes these checks, the malware installs itself and registers with the command and control (C2) server. Once registered, the bot stays in a loop to request additional instructions.
Anti analysis
Upon starting, Latrodectus ensures that it is not running in a contained environment like a sandbox. If any of the steps described below fail, the malware aborts execution.
Debugger check
This check simply verifies if the BeingDebugged flag is set in the Process Environment Block (PEB).

Total running processes check
In this check, the malware looks at the total number of running processes. Latrodectus expects at least 75 running processes for Windows 10 and later, and at least 50 processes for versions earlier than Windows 10.

System architecture check
This check is intended to determine if the malware is running on a 64-bit host.

MAC address check
This check validates the MAC addresses of all network adapters in the system to ensure they are valid and of the correct size.

Latrodectus attempts to create a mutex named running
and if it fails or it already exists, it terminates execution. This mechanism prevents multiple infections on the same machine.

Windows API resolution
All necessary Windows APIs are resolved at the beginning of execution. To do so, Latrodectus finds the base address from kernel32.dll and ntdll.dll by traversing the Process Environment Block (PEB) structure. Below is the function responsible for retrieving the base address, which takes the CRC32 hash value from the DLL name unicode string and returns the base address.

After resolving the base addresses of kernel32.dll and ntdll.dll, it resolves the base addresses of additional libraries such as user32.dll, wininet.dll, shell32.dll, advapi32.dll, urlmon.dll, shlwapi.dll, ole32.dll, and iphlpapi.dll. To do so, it finds all DLL files inside the C:\Windows\system32\
folder and compares the CRC32 hash value of each Unicode name string with the target value. If there's a match, Latrodectus calls LoadLibraryW to load the target library and get its base address.

After loading all needed DLLs, Latrodectus resolves all the necessary APIs by comparing the CRC32 hash value of the exported functions with the target values. All pointers to the APIs are saved in global variables.

Strings decryption
Whenever Latrodectus needs to decrypt a string, it calls a function that takes two arguments: the pointer to the buffer containing the encrypted string blob as the first argument, and a pointer to the output buffer where the plain text string will be stored as the second argument.

All encrypted strings start with a 6 byte long header. The first 4 bytes contain the initial XOR seed and the next 2 bytes contain length of the XOR-encrypted string. The decrypt function goes through the encrypted string bytes and XORs them with the seed. The seed changes at every iteration using a pseudo-random number generator (PRNG)-like function.

In the latest version of Latrodectus, the PRNG-like function has been simplified. As seen below, now the seed is incremented by 1 at every iteration.

Malware developers usually make decryption routines more complex with updates, but here they did the opposite.
Bot ID
Latrodectus creates a unique bot ID for each victim based on the volume serial number. To do so, first it grabs the serial using the Windows API GetVolumeInformationW.

The volume serial number is subsequently passed to another function, where the bot ID is generated using this number alongside the hardcoded value 0x19660D

As the final step, the generated bot ID is converted to a hexadecimal string using the following format: %04X%04X%04X%04X%08X%04X.

Group and Group ID
All Latrodectus samples contain an encrypted string which is the group name/campaign identifier. Latrodectus FNV-1a hashes the string to calculate group ID, which is later used in the communication protocol.

C2 decryption
Latrodectus samples always contain two encrypted command and control (C2) servers. These C2 servers are decrypted like any other string and are stored within a memory structure.

The update data .dat file
Before starting the communication routines, Latrodectus checks for the existence of the file %appdata%\Custom_update\update_data.dat
. If the file exists, it reads and decrypts its content. This file contains updated C2 URLs sent by the hardcoded C2 servers found within the sample.

If Latrodectus is running for the first time, the update_data.dat
file will not exist. This file is only written to disk when the malware receives an updated list of C2 servers.

If the malware is not running from within the Appdata folder, it will delete itself and copy to a file named %appdata%\Custom_update\Update_%x.dll
, where %x
is replaced with a 4-byte integer in hex format (8 characters in total). This integer is the result of multiplying the volume serial number with the hardcoded constant 0x19660D

Afterwards, it uses the Microsoft Component Object Model (COM) to create a scheduled task named Updater
, ensuring that the malware runs at every logon.

Communications protocol
Latrodectus uses POST requests over HTTPS to register itself with the C2 servers and receive additional instructions and commands. The data sent in the HTTP body (referred to as beacon data) is RC4 encrypted with the key 12345
and base64 encoded.
Note: This RC4 key was used in the initial campaigns but has since been changed. Check the Indicators section for a complete list of all known RC4 keys.
Latrodectus sends requests at intervals ranging from 7.5 to 10 minutes. However, the C2 server can send a specific command to change the interval to 25 to 35 minutes.
Another interesting aspect of the communications protocol is that Latrodectus always uses Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
as the user agent string, and the requests are always sent to the /live/

Beacon data
Before sending the HTTP POST request, Latrodectus builds a string with the following format: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
. This is referred to as the base beacon, as this data is always included in every request.

Base beacon fields:
Field | Description |
counter | total number HTTP requests |
type | beacon type. 1 is normal beacon, 2 is running outside of Appdata, 3 sysinfo beacon, 4 process list beacon, 5 desktop links beacon |
guid | bot ID string |
os | major version of Windows |
arch | always 1 which refers to x64 |
username | string |
group | FNV-1a hash of group string aka campaign identifier |
ver | major and minor version of the malware. known versions are 1.1, 1.2, and 1.3 |
up | hardcoded value that changes between samples |
direction | current c2 domain to where the request is sent |
If the beacon field counter
is zero, Latrodectus sends the registration beacon. To do so, it appends the following three extra fields to the base beacon.
Extra field | Description |
mac | list of mac addresses of the infected system, each mac needs to end with a ; |
computername | hostname of the infected system |
domain | domain name. if system is not part of a domain this field is filled with a - |
The complete registration beacon looks like this: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s&mac=%s&computername=%s&domain=%s
Latrodectus encrypts the beacon string using RC4 with the key 12345, base64 encodes it, and sends it to the C2 server.

C2 instructions and commands
The response from the C2 is also RC4 encrypted using the same key 12345
and base64 encoded. It can contain instructions delimited by newline characters \n
, with arguments for the instructions separated by the |

List of available instructions:
Instruction | Description |
URLS | sends a new server to be stored in the update C2 table at a given index |
CLEARURL | cleanup/reset update C2 table |
COMMAND | sends a command to be executed by the bot. the commands are identified by an ID number |
ERROR | sends error message to bot |
instruction is crucial as it directs the bot to perform specific actions. This instruction takes the command ID as the first argument and can receive a second argument that is passed to the function implementing the command.
Here's a list of all available commands implemented in the bot:
Command ID | Description |
2 | Collect desktop filenames |
3 | Collect running processes |
4 | Collect sysinfo |
12 | Download and execute EXE file |
13 | Download and execute DLL file via rundll32 |
14 | Download and execute shellcode |
15 | Download and execute update EXE file (self update) |
17 | Uninstall |
18 | Download and execute Anubis aka IcedID |
19 | Extra sleep (increase next sleep time) |
20 | Reset counter (http request counter) |
21 | Download and execute stealer module |
Some available commands will affect both the beacon type and the data of the next request to the C2 server, so let's review those.
Command ID 2 - Collect desktop files
This command collects the desktop filenames and builds a list as follows: &desklinks=["filename1", "filename2", ...]

The list is added to the base beacon, and the beacon field type
is set to 5
, indicating a desktop links beacon.

The complete beacon string for the desktop links beacon looks like following: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s&desklinks=["filename1", "filename2", ...]
Command ID 3 - Collect running processes
This command collects the list of running processes and builds a list as follows: &proclist=[{"pid": "%d","proc": "%s","subproc": []}, ...]

The list is added to the base beacon, and the beacon field type
is set to 4
, indicating a process list beacon.

The complete beacon string for the process list beacon looks like following: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s&proclist=[{"pid": "%d","proc": "%s","subproc": []}, ...]
Command ID 4 - Collect sysinfo
This command executes a pre-defined list of reconnaissance commands and stores the output of each in an in-memory structure.

Here's the complete list of commands Latrodectus executes on an infected system after receiving this command from the C2 server, along with their respective beacon extra fields:
Command | Extra field |
request public ip from | realip |
cmd.exe /c ipconfig /all | ipconfig |
cmd.exe /c systeminfo | systeminfo |
cmd.exe /c nltest /domain_trusts | domain_trusts |
cmd.exe /c nltest /domain_trusts /all_trusts | domain_trusts_all |
cmd.exe /c net view /all /domain | net_view_all_domain |
cmd.exe /c net view /all | net_view_all |
cmd.exe /c net group "Domain Admins" /domain | net_group |
wmic.exe /Node:localhost /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List | wmic |
cmd.exe /c net config workstation | net_config_ws |
cmd.exe /c wmic.exe /node:localhost /namespace:\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed | net_wmic_av |
cmd.exe /c whoami /groups | whoami_group |
Latrodectus base64 encodes the outputs and appends them to the base beacon using the extra fields from the table above. The beacon field type
is set to 3
, indicating a sysinfo beacon.

The complete beacon string for the sysinfo beacon looks like following: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s&realip=<base64>&ipconfig=<base64>&systeminfo=<base64>&domain_trusts=<base64>&domain_trusts_all=<base64>&net_view_all_domain=<base64>&net_view_all=<base64>&net_group=<base64>&wmic=<base64>&net_config_ws=<base64>&net_wmic_av=<base64>&whoami_group=<base64>
Command ID 21 - Download and exec stealer module
When Latrodectus receives command ID 21, it also receives as an argument the filename of the DLL file hosted on the C2 server. In the response below, the filename is stkm.bin
, and front://
is included to be replaced with https://<current C2 domain>

Latrodectus downloads the module DLL and spawns a new thread to execute it and collect the data.

The data collected by the stealer module is stored in a buffer with the following format: &stiller=<data>
. This data is then added to the next beacon string, with the beacon field type set to 21
, indicating a stealer beacon.

Campaigns and victims
We tracked 10 different group names associated with Latrodectus and observed nearly 5.000 distinct victims across all campaigns.
Latrodectus Groups/Campaigns:
Group | Group ID (FNV-1a hash) |
test | 2949673445 |
Novik | 1053565364 |
Olimp | 445271760 |
Liniska | 2020984416 |
Trust | 2317793045 |
Supted | 1081065992 |
Littlehw | 510584660 |
Facial | 3828029093 |
Electrol | 2221766521 |
Compati | 3581839234 |
The top 10 most affected countries are:
United States (652) United Kingdom (444) |
Netherlands (439) Poland (360) |
France (349) Czechia (284) |
Japan (244) Australia (229) |
Germany (228) Canada (187) |

Thanks to Operation Endgame, Latrodectus is currently offline. There is a possibility that the threat actors will attempt to revive the botnet and improve its overall operational security to prevent future disruptive actions. At Bitsight we will continue to monitor the activity of these threat actors and be on the lookout for new infrastructure related to Latrodectus.
Bitsight thanks the following organizations for supporting this research: Registrar of Last Resort (RoLR), Radix, ShortDot, BestTLD, DoMEn, CentralNic.
File hashes
Latrodectus bot:
Stealer module
Sysinfo module:
C2 domains
RC4 keys