Keypoints
- In October 2024 EclecticIQ observed a malvertising campaign delivering Brute Ratel C4 via the Latrodectus JavaScript downloader.
- Analysts assess with high confidence the campaign is very likely linked to the financially motivated Russian-speaking group LUNAR SPIDER.
- LUNAR SPIDER has a history of developing IcedID and Latrodectus and acts as an initial-access broker for other ransomware affiliates.
- Despite Operation Endgame law enforcement disruptions in May 2024, LUNAR SPIDER resumed activity and shifted to using Brute Ratel C4.
- Shared infrastructure and passive-DNS evidence tie LUNAR SPIDER to other groups including WIZARD SPIDER and ALPHV/BlackCat.
- The malvertising operation used SEO poisoning targeting finance-related searches to deliver an obfuscated JS (Document-16-32-50.js) which fetched an MSI (e.g., 45[.]14[.]244[.]124/dsa.msi) that installed Brute Ratel.
MITRE Techniques
- [T1071] Application Layer Protocol – Used to deliver payloads and C2 communications via malvertising and remote servers (‘Utilizes malvertising and SEO poisoning to deliver malicious payloads.’ / ‘Establishes communication with attacker-controlled C2 servers.’)
- [T1203] Exploitation for Client Execution – Malicious JavaScript executed in victims’ browsers to download and run the MSI that installs Brute Ratel (‘Executes malicious JavaScript to download and install Brute Ratel C4.’)
- [T1547] Boot or Logon Autostart Execution – Malware created registry entries to persist across reboots (‘Creates registry keys to maintain persistence across reboots.’)
- [T1003] Credential Dumping – Actors used tools like Cobalt Strike and CSharp Streamer RAT to collect credentials and sensitive data (‘Uses tools like Cobalt Strike and CSharp Streamer RAT for credential exfiltration.’)
- [T1041] Exfiltration Over C2 Channel – Sensitive data was exfiltrated using established command-and-control connections and tools such as Rclone (‘Exfiltrates sensitive data using various tools and techniques.’)
Indicators of Compromise
- [Malvertising URLs] Malvertising campaign landing pages – https[://]qasertol[.]club/forms-pubs/about-form-w-2/?msclkid=58393294f21c1006efe854eff1b652d5, https[://]grupotefex[.]com/forms-pubs/about-form-w-4/?msclkid=275de1ee6e9c11cb920c879bf6a21339
- [JavaScript SHA256] Latrodectus downloader samples – 937d07239cbfee2d34b7f1fae762ac72b52fb2b710e87e02fa758f452aa62913, 6dabcf67c89c50116c4e8ae0fafb003139c21b3af84e23b57e16a975b7c2341f (and 1 more hash)
- [MSI download URLs] Payload distribution servers – http[://]45[.]14[.]244[.]124/dsa.msi, https[://]188[.]119[.]112[.]115/DLPAgent[.]msi (and several other MSI URLs)
- [MSI SHA256] Downloaded MSI file hashes – 1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa, ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991 (and 2 more hashes)
- [C2 Domains] Latrodectus / Brute Ratel command-and-control – peronikilinfer[.]com, tiguanin[.]com, greshunka[.]com (and several other domains)
- [Brute Ratel SHA256] Final payload hashes – 28f5e949ecad3606c430cea5a34d0f3e7218f239bcfa758a834dceb649e78abc, 29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9 (and 2 more hashes)
EclecticIQ analysts observed in October 2024 a malvertising campaign that used an obfuscated JavaScript downloader known as Latrodectus to deliver a Brute Ratel C4 payload. The attack chain began with SEO poisoning that pushed poisoned search results toward financial and tax-related queries, leading victims to a malicious JavaScript file named Document-16-32-50.js; when executed in the browser this script downloaded a Windows Installer package (for example, http://45[.]14[.]244[.]124/dsa.msi) which installed Brute Ratel as a DLL and launched it via rundll32.exe. Upon installation the DLL (observed as vierm_soft_x64.dll) was placed under the user’s roaming AppData folder (C:UsersAppDataRoamingvierm_soft_x64.dll) and the malware created a Run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun to maintain persistence after reboots.
The report links the campaign with high confidence to LUNAR SPIDER, a Russian-speaking financially motivated actor active since at least 2009 and the developer behind families such as IcedID and Latrodectus. EclecticIQ notes that while global law enforcement disrupted multiple infrastructures during Operation Endgame on May 30, 2024, LUNAR SPIDER quickly adapted and resumed operations, shifting tactics away from IcedID (BokBot) toward Latrodectus and Brute Ratel C4. Analysts mapped more than 200 Latrodectus-associated servers very likely controlled by LUNAR SPIDER and observed overlaps between IcedID and Latrodectus infrastructures, including nearly identical SSL issuer details and repeated use of service providers such as SHOCK-1 (ASN 395092). Top ASN operators tied to the infrastructure included BlueVPS OU (AS 62005), OVH SAS (AS 16276), and The Infrastructure Group B.V. (AS 60404).
Evidence presented in the research highlights how LUNAR SPIDER functions as an initial-access broker within the broader cybercrime ecosystem. Leaked Conti communications and passive DNS records point to operational ties between LUNAR SPIDER and other operators, including WIZARD SPIDER (associated with TrickBot and Conti) and ALPHV/BlackCat. For example, the domain peronikilinfer[.]com functioned as a Latrodectus C2 in September 2024 and was hosted on 173[.]255[.]204[.]62; that same IP previously hosted jkbarmossen[.]com, which served as an IcedID C2 in October 2023 and was linked to ALPHV activity. These shared infrastructures and overlapping artifacts support the assessment that LUNAR SPIDER provides initial access—often via IcedID or Latrodectus—to ransomware affiliates, who then deploy additional tooling such as Cobalt Strike beacons, ScreenConnect, and CSharp Streamer RAT for lateral movement and credential theft.
A detailed example of a reported campaign tied to this ecosystem occurred in October 2023, when ALPHV/BlackCat actors used an IcedID loader delivered in a malicious ZIP containing a VBS file; after the loader executed, attackers used Impacket’s wmiexec and RDP for lateral movement, deployed ScreenConnect, launched Cobalt Strike beacons for C2, and used the CSharp Streamer RAT and Rclone to steal and exfiltrate credentials and data before deploying ransomware. In the Latrodectus-to-Brute Ratel campaign documented in October 2024, Brute Ratel made outbound connections to multiple attacker-controlled command-and-control domains such as bazarunet[.]com, greshunka[.]com, and tiguanin[.]com, enabling remote control and further malicious actions.
EclecticIQ used its Threat Intelligence Platform and Intelligence Center to extract infrastructure indicators and automatically map LUNAR SPIDER’s tactics, techniques, and procedures to the MITRE ATT&CK framework, helping defenders identify detection and response gaps. The research includes YARA detection signatures for Latrodectus JavaScript and Lotus/Latrodectus loader binaries to aid detection, and it provides numerous IOCs—malicious URLs, JavaScript and MSI hashes, payload download hosts, C2 domains, and Brute Ratel hashes—to support hunting and blocking. The report emphasizes that SEO poisoning and malvertising remain effective vectors against financial services and that shared or reused infrastructure between initial-access brokers and ransomware affiliates continues to be a hallmark of the threat landscape.
Organizations should watch for the specific indicators and behaviors described—unexpected MSI download attempts, rundll32 execution of DLLs from user roaming paths, registry Run key creation under HKCU, and network connections to the listed C2 domains—and incorporate the supplied YARA rules and MITRE mappings into detection and hunting processes. EclecticIQ’s analysis underscores the persistence and adaptability of LUNAR SPIDER despite law enforcement pressure, and it shows how initial-access tooling like Latrodectus and IcedID can enable ransomware deployments by other groups.