Home > Security > Security News

Lunar Spider Leveraged Latrodectus, Brute Ratel C4, Cobalt Strike, and Custom Backdoor in 2-Month Network Intrusion

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Tax Doc - Cobalt Strike - Malware - Brute Ratel

A sophisticated Lunar Spider social engineering operation utilized tax lures to install Brute Ratel malware and Latrodectus malware, conducting reconnaissance, moving laterally, and exfiltrating data. This incident highlights the effectiveness of social engineering as an initial access vector for advanced persistent threat groups.

Attack Vector and Initial Compromise

The intrusion began with opening a fake tax form attachment that executed a heavily obfuscated JavaScript file, which was previously associated with the Lunar Spider group by EclecticIQ. 

This initial action triggered the download of an MSI package that installed Brute Ratel malware, a recent The DFIR Report analysis details. 

Brute Ratel and Latrodectus malware attack
Brute Ratel and Latrodectus malware attack | Source: The DFIR Report

The loader then injected the Latrodectus malware, designed to download payloads and execute arbitrary commands, into the explorer.exe process. A Latrodectus Stealer module was also used in the attack, harvesting credentials from 29 Chromium-based browsers, including Google Chrome, Microsoft Edge, and Epic Privacy Browser.

It extracted email credentials from Microsoft Outlook configurations across Office versions 11.0-17.0, server configurations, port numbers, usernames, encrypted passwords, legacy email configurations from older Windows Mail, Outlook Express, and MAPI profiles that may contain additional cached credentials..

Timeline and Techniques Employed

The cyberattack timeline shows rapid escalation following the initial breach. Within hours, the threat actor conducted host and domain enumeration. By day three, they discovered plaintext domain administrator credentials in a Windows Answer file, granting them immediate high-privilege access. 

On day four, the actor deployed and executed a binary named lsassa.exe via BackConnect, which was a .NET backdoor containing an encrypted payload embedded in an assembly resource file. This action established command and control (C2) and initiated a nearly two-month-long compromise of the target network.

Several Cobalt Strike beacons were also deployed, with the first observed on day four. One implant initiated a UAC bypass, achieving privilege escalation without user interaction, via a well-documented registry hijacking method first observed in 2017 that exploits the UAC token duplication vulnerability. This allowed the Cobalt Strike implant to execute arbitrary code.

The actors moved laterally using PsExec to compromise a domain controller and other critical servers. Data exfiltration using Rclone occurred on day 20, demonstrating the patient and methodical nature of the attack.

Cybersecurity Implications of the Intrusion

The actor’s ability to remain undetected for almost two months while deploying multiple malware payloads demonstrates a high level of operational security and adaptability.

The successful credential harvesting from an unsecured configuration file also serves as a critical reminder of the importance of secure system provisioning and eliminating plaintext credentials. 

The report concludes that despite extensive access, no ransomware was deployed, suggesting the primary objective may have been data theft and persistent access.

This month, Zscaler cybersecurity researchers linked the YiBackdoor malware family to IcedID and Latrodectus. The latter was created by the developers of IcedID and is actively being developed, with updates to its encryption key pattern and new commands.

In August 2024, a Google Safety Centre phishing operation deployed Latrodectus and ACR Stealer disguised as Google Authenticator. During Operation Endgame, which occurred in May 2024, law enforcement dismantled multiple botnets. 

Add a Comment
Related
Cryptocurrency - Money - Police
Chinese Scammer Convicted in U.K. After World’s Largest $7B Crypto Seizure
YouTuber - Reddit - People
YouTuber Ethan Klein in Legal Dispute Over Reddit Moderator Anonymity in Alleged Defamation Case
Man - Phone - Notifications - Dollar - Hacker
BBC Reporter Contacted by Medusa Ransomware for Insider Access in Cybercriminal Recruitment Attempt
Salesforce - Shield - URL - Login
Salesforce to Enforce Trusted URLs for Agentforce and Einstein AI Against Prompt Injection
Mobile Tower - Ambulance - Personnel
Optus Suffers Another Emergency Call Outage Impacting 4,500 Customers, Prompting Government Investigation
Moldova Flag - Browsers - Hacker
Moldova Election Hit by Cyberattacks Amid Political Tensions, Blocking 4,000 Vote-Related Websites
Most Popular
Cryptocurrency - Money - Police
Chinese Scammer Convicted in U.K. After World’s Largest $7B Crypto Seizure
YouTuber - Reddit - People
YouTuber Ethan Klein in Legal Dispute Over Reddit Moderator Anonymity in Alleged Defamation Case
Man - Phone - Notifications - Dollar - Hacker
BBC Reporter Contacted by Medusa Ransomware for Insider Access in Cybercriminal Recruitment Attempt
Age Verification Laws Across the U.S
Age Verification Laws Across the U.S.: Full State-by-State Breakdown
NordVPN Reverses Course, Confirms Meshnet Will Stay
NordVPN Reverses Course, Confirms Meshnet Will Stay
Salesforce - Shield - URL - Login
Salesforce to Enforce Trusted URLs for Agentforce and Einstein AI Against Prompt Injection
Chinese Scammer Convicted in U.K. After World’s Largest $7B Crypto Seizure
YouTuber Ethan Klein in Legal Dispute Over Reddit Moderator Anonymity in Alleged Defamation Case
BBC Reporter Contacted by Medusa Ransomware for Insider Access in Cybercriminal Recruitment Attempt
Age Verification Laws Across the U.S.: Full State-by-State Breakdown
NordVPN Reverses Course, Confirms Meshnet Will Stay
Salesforce to Enforce Trusted URLs for Agentforce and Einstein AI Against Prompt Injection

Most Popular
Cryptocurrency - Money - Police
Chinese Scammer Convicted in U.K. After World’s Largest $7B Crypto Seizure
YouTuber - Reddit - People
YouTuber Ethan Klein in Legal Dispute Over Reddit Moderator Anonymity in Alleged Defamation Case
Man - Phone - Notifications - Dollar - Hacker
BBC Reporter Contacted by Medusa Ransomware for Insider Access in Cybercriminal Recruitment Attempt
Age Verification Laws Across the U.S
Age Verification Laws Across the U.S.: Full State-by-State Breakdown
NordVPN Reverses Course, Confirms Meshnet Will Stay
NordVPN Reverses Course, Confirms Meshnet Will Stay
Salesforce - Shield - URL - Login
Salesforce to Enforce Trusted URLs for Agentforce and Einstein AI Against Prompt Injection
Chinese Scammer Convicted in U.K. After World’s Largest $7B Crypto Seizure
YouTuber Ethan Klein in Legal Dispute Over Reddit Moderator Anonymity in Alleged Defamation Case
BBC Reporter Contacted by Medusa Ransomware for Insider Access in Cybercriminal Recruitment Attempt
Age Verification Laws Across the U.S.: Full State-by-State Breakdown
NordVPN Reverses Course, Confirms Meshnet Will Stay
Salesforce to Enforce Trusted URLs for Agentforce and Einstein AI Against Prompt Injection

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: