^[2]

^[2]

Latrodectus can runC:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain to identify domain administrator accounts.^[4]

Latrodectus can send registration information to C2 via HTTPPOST.^[1][4][3]

Latrodectus can set an AutoRun key to establish persistence.^[1]

TheLatrodectus command handler can usecmdexe to run multiple discovery commands.^[4][3]

Latrodectus has used JavaScript files as part its infection chain during malicious spam
email campaigns.^[4][3][5]

Latrodectus has Base64-encoded the message body of a HTTP request sent to C2.^[1][4]

Latrodectus can collect data from a compromised host using a stealer module.^[3]

Latrodectus has the ability to check for the presence of debuggers.^[1]

Latrodectus has the ability to deobfuscate encrypted strings.^[1][4][3]

Latrodectus can runC:\Windows\System32\cmd.exe /c nltest /domain_trusts to discover domain trusts.^[4][3]

Latrodectus can send RC4 encrypted data over C2 channels.^[1][4][3]

Latrodectus can exfiltrate encrypted system information to the C2 server.^[1][3]

Latrodectus can collect desktop filenames.^[1][3][4]

Latrodectus can delete itself while its process is still running through the use of an alternate data stream.^[4]

Latrodectus has the ability to delete itself.^[4][3]

Latrodectus can download and execute PEs, DLLs, and shellcode from C2.^[1][4][3]

Latrodectus can use the Windows Component Object Model (COM) to set scheduled tasks.^[4][3]

Latrodectus has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.^[4]

Latrodectus has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure.^[1]

Latrodectus has used multiple Windows API post exploitation includingGetAdaptersInfo,CreateToolhelp32Snapshot, andCreateProcessW.^[4][3]

Latrodectus can runC:\Windows\System32\cmd.exe /c net view /all to discover network shares.^[4][3]

Latrodectus has been obfuscated with a 129 byte sequence of junk data prepended to the file.^[4]

TheLatrodectus payload has been packed for obfuscation.^[4]

Latrodectus can resolve Windows APIs dynamically by hash.^[1]

Latrodectus has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.^[1][4][3]

Latrodectus can identify domain groups throughcmd.exe /c net group "Domain Admins" /domain.^[3][4]

Latrodectus has been distributed through reply-chain phishing emails with malicious attachments.^[2]

Latrodectus has been distributed to victims through emails containing malicious links.^[1][2]

Latrodectus can enumerate running processes including process grandchildren on targeted hosts.^[1][4][3]

Latrodectus has routed C2 traffic using Keyhole VNC.^[5]

Latrodectus can create scheduled tasks for persistence.^[1][4][3]

Latrodectus has the ability to identify installed antivirus products.^[4][3]

Latrodectus has calledmsiexec to install remotely-hosted MSI files.^[1][2]

Latrodectus can use rundll32.exe to execute downloaded DLLs.^[4][2]

Latrodectus can gather operating system information.^[1][4][4][3]

Latrodectus can discover the IP and MAC address of a targeted host.^[4][3]

Latrodectus can discover the username of an infected host.^[4]

Latrodectus has the ability to restart compromised hosts.^[4]

Latrodectus has been executed through malicious links distributed in email campaigns.^[1][2]

Latrodectus has lured users into opening malicious email attachments for execution.^[2]

Latrodectus can determine if it is running in a virtualized environment by checking the OS version, checking the number of running processes, ensuring a 64-bit application is running on a 64-bit host, and checking if the host has a valid MAC address.^[1][4][3]

Latrodectus has used Google Firebase to download malicious installation scripts.^[5]

Latrodectus has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files.^[4][3]

^[1]

^[1][3]