In the aftermath of the law enforcement operation dubbed Endgame, which momentarily disrupted several malware networks, two notorious malware families—Bumblebee and Latrodectus—have reemerged, now equipped with more intricate phishing methods. These malware loaders are engineered not only to exfiltrate sensitive personal information but also to introduce and execute supplementary malicious payloads on compromised systems.
Latrodectus, also known under various aliases like BlackWidow, IceNova, and Lotus, shares considerable overlap with IcedID, positioning it as a successor to that malware family. Its presence has been noted in campaigns associated with prominent initial access brokers (IABs) identified as TA577 and TA578. Meanwhile, Bumblebee follows suit, resurfacing to wreak havoc after its infrastructure was impacted by the Endgame operation.
Endgame and the Resurgence
In May 2024, a coalition of European authorities dismantled over a hundred servers linked to major malware families like IcedID, SystemBC, PikaBot, SmokeLoader, and Bumblebee. Although Latrodectus was not explicitly named in the operation, the fallout affected its infrastructure, rendering many of its servers inactive—albeit temporarily.
By June 2024, Bitsight researcher João Batista remarked that, despite the initial disruption, Latrodectus had quickly regrouped, strengthening its position. Cybersecurity firm Trustwave echoed this sentiment in a subsequent report, characterizing Latrodectus as a distinct and evolving threat that capitalized on the operational gaps left by its counterparts following Endgame.
This resurgence is being driven by increasingly sophisticated malspam campaigns that hijack legitimate email conversations, impersonating recognizable entities like Microsoft Azure and Google Cloud. Such attacks are used as springboards for distributing malicious links or embedded JavaScript code, often within DocuSign-themed emails, that aim to execute malware through a variety of formats, including PDFs and HTML files.
A New Wave of Intrusion
Cybersecurity firms Forcepoint and Logpoint have observed recent infection chains leveraging phishing emails designed to drop a malicious DLL file, ultimately triggering the deployment of the Latrodectus malware. These messages contain PDF attachments, malicious links, or JavaScript code engineered to facilitate the download of an MSI installer or a PowerShell script, effectively setting the stage for malware infiltration.
Latrodectus, with its updated infrastructure and delivery techniques, now targets sectors such as finance, automotive, and broader business industries. According to Forcepoint researcher Mayur Sewani, this malware blends legacy operational frameworks with fresh, more elusive delivery tactics.
In parallel with Latrodectus, the Bumblebee malware loader has also made a forceful comeback. The attack vector often involves a ZIP archive delivered via phishing emails. This archive contains an LNK file, deceptively named as a benign report, which triggers a series of actions leading to the injection of Bumblebee directly into memory, thus evading the need to write the malware to disk.
Netskope researcher Leandro Fróes has highlighted Bumblebee’s new evasive maneuvers, noting that the malware circumvents creating additional processes while avoiding disk-based execution. By leveraging the SelfReg table, Bumblebee forces the execution of a function embedded within the final payload DLL, which is concealed within the file table itself.
As these two malware strains continue to adapt and refine their methods, their reappearance underscores the persistent threat posed by phishing attacks, which remain one of the most effective vectors for malware deployment.
