Cybersecurity researchers have found LATRODECTUS Loader becoming more favored by threat actors, showing similarities with ICEDID in delivering hidden content via an encrypted payload technique and sharing network infrastructure, possibly filling the void left by ICEDID; it uses an evolving obfuscation technique and advanced functionalities like anti-analysis checks, C2 communications encryption, and commands reception via URLs and exhibits connections to ICEDID in enumeration, exports, and C2 traffic patterns, signifying potential development links, making it a tool used for information gathering, code execution, binary updates, and ICEDID delivery with support features for resetting request counters and randomized beaconing intervals, as an alternative to the declining ICEDID it is noted for its increased use in email campaigns delivering LATRODECTUS for remote installation, utilizing oversized JavaScript and post-breach operations while disguising itself as TRUFOS.SYS, advancing in file version information management, PEB and CRC32 checks, dynamic import resolution, setting up scheduled tasks for persistence, using alternate data streams for deletion, encrypting C2 communications with RC4, and receiving commands via various methods, putting out test runs with the Flask server dispatching payloads between sandboxes. ```
https://cybersecuritynews.com/latrodectus-loader-rising-threat/