New Vector, Who’s This?
Upon booting up my daily work, one of the first things I do is log into my OpenCTI server and see what’s going on. This is generally an initial cursory look; very often nothing has changed from one day to the next on the dashboard.
But sometimes something new pops up. Today it was the ransomware loader known as Latrodectus, coming into the top ten most active malware for the last three months in 7th position. This in itself is not an unusual occurrence. There is always some variation in the top ten, although typically the top five remain the same, shuffling among themselves. And speaking of which, CobaltStrike is still in the top spot, with the number of incidents involving it increasing to the point where my graph has zoomed out to compensate for its activity. What caught my attention with Latrodectus is that it hasn’t been particularly active of late, having been initially reported on in November of 2023 and showing signs of diminished use by March of 2024.
So, why is it back? A simple search within the last month gave me my answer. Latrodectus has a new sibling.
I’ve talked before about how malware is classified into families. In this case, Latrodectus is considered a successor to IceID, a banking Trojan from at least 2017. The two share many overlaps in code and behavior, and are thought to be the work of the same threat actor, TA577. And now there is a third malware in the family: YiBackdoor.
This trio shows how classification into a family does not necessarily correspond to function. IcedID is a Trojan that collects login credentials among financial institutions using web injection to hide in legitimate site content. Latrodectus is a downloader carrying payloads of executable code that allow it to evade detection in sandboxes and maintain persistence in affected systems. YiBackdoor appears to serve as the vector – given its name as a backdoor – by which other malware is delivered into a device. What connects these three isn’t their function, it’s their similarities in source code, leading to the fairly confident supposition that they’re all the work of the same developer.
All three exhibit the same tree of actions to infiltrate a system or device, set themselves up for persistence and execute commands to collect data and/or transmit that data to a C2 server. Thus far YiBackdoor’s functionality appears to be limited by default. However, it can deploy commands to plugins to expand its capabilities. Which again tracks for backdoor behavior.
This trio of related malware is exemplary of how malware as a whole evolves both in function and evasion technique. As quickly as we at the security end of things catch and remediate infection, new vectors and attempts at anti-analysis are programmed in. But as threat actors persist, so do we. Your friendly neighborhood WISP will be keeping an eye out.
Posted on LinkedIn 10/1/25











