"Given the similarities between YiBackdoor, IcedID, and Latrodectus, it's being assessed with medium to high confidence that the new malware is the work of the same developers who are behind the other two loaders. It's also worth noting that Latrodectus, in itself, is believed to be a successor of IcedID. The cybersecurity company said it first identified the malware in June 2025, adding it may be serving as a precursor to follow-on exploitation, such as facilitating initial access for ransomware attacks."
"YiBackdoor features rudimentary anti-analysis techniques to evade virtualized and sandboxed environments, while incorporating capabilities to inject the core functionality into the "svchost.exe" process. Persistence on the host is achieved by using the Windows Run registry key. "YiBackdoor first copies itself (the malware DLL) into a newly created directory under a random name," the company said. "Next, YiBackdoor adds regsvr32.exe malicious_path in the registry value name (derived using a pseudo-random algorithm) and self-deletes to hinder forensic analysis.""
YiBackdoor is a newly identified malware loader with significant source code overlap with IcedID and Latrodectus. YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and deploy plugins to extend functionality. The malware includes rudimentary anti-analysis checks to detect virtualized and sandboxed environments and injects its core into the svchost.exe process. Persistence is achieved via the Windows Run registry key and regsvr32-based registry entries using pseudo-random names. An embedded encrypted configuration reveals command-and-control servers and the malware retrieves commands via HTTP responses. Limited deployments were observed since June 2025, suggesting testing or development and possible use for initial access in ransomware campaigns.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]