New Malware “YiBackdoor” Linked to IcedID and Latrodectus

Researchers at Zscaler ThreatLabz have uncovered a new malware family, dubbed YiBackdoor, first observed in June 2025. While still in limited deployment, the malware shows striking code overlaps with both IcedID and Latrodectus, two prolific malware families associated with banking fraud, credential theft, and ransomware delivery.

According to ThreatLabz, “YiBackdoor enables threat actors to collect system information, capture screenshots, execute arbitrary commands, and deploy plugins.” The team warns that, much like IcedID, this new malware may be repurposed as a key tool for initial access in ransomware operations.

YiBackdoor’s architecture reveals extensive reuse of techniques and components found in IcedID and Latrodectus. ThreatLabz highlights that “YiBackdoor shares a considerable amount of code with Latrodectus and IcedID, including a unique encryption algorithm.”

Among the similarities:

• Configuration decryption routines nearly identical to IcedID’s payload decryption logic.
• Plugin decryption algorithms that mirror IcedID’s older GZIP-based routines.
• Use of FNV hashing algorithms, alphabet charsets, and unused GUID lists that appear to be direct remnants from IcedID and Latrodectus codebases.

This strong overlap has led researchers to assess with “medium to high confidence” that there is a shared development lineage between the malware families.

YiBackdoor includes sophisticated anti-analysis mechanisms to avoid detection in sandboxes and virtual environments.

ThreatLabz explains, “YiBackdoor utilizes the CPUID instruction with the parameter 0x40000000 to retrieve hypervisor information. The result is then compared to values that match known hypervisors, including VMWare, Xen, KVM, VirtualBox, Microsoft Hyper-V, and Parallels.”

The malware also decrypts strings at runtime and performs timing-based checks using the rdtsc instruction to detect virtualization. Interestingly, researchers note that while YiBackdoor stores the results of these checks internally, “the detection methods outlined above currently have no impact on the code’s behavior,” suggesting this feature may be incomplete or in testing.

To evade detection and ensure execution, YiBackdoor uses code injection into svchost.exe.

The report describes the technique: “YiBackdoor patches the Windows API function RtlExitUserProcess with assembly code that pushes YiBackdoor’s entry point on the stack… Thus, when the function is called, execution flow is redirected to the malware’s entry point.”

Persistence is established through the Windows Run registry key, using a pseudo-random algorithm to generate registry value names, further complicating forensic analysis.

YiBackdoor’s configuration is embedded in encrypted form and decrypted at runtime using a custom algorithm with a 64-byte key. This configuration contains:

• C2 server list (HTTP or HTTPS).
• Strings for TripleDES key derivation.
• URI components and a botnet ID.

Notably, the malware rotates encryption keys daily, using the day of the week as an offset, making static network signature detection far more difficult.

The C2 traffic itself is hidden inside HTTP headers, with requests encoded into the X-tag header and responses encrypted in the HTTP body.

YiBackdoor supports a range of commands, including:

• systeminfo to harvest OS, network, and process details.
• screen to capture desktop screenshots.
• CMD and PWS for executing commands via cmd.exe and PowerShell.
• plugin and task to load and execute additional plugins.

Plugins are stored as encrypted .bin files in the Windows temp folder and reloaded at every execution. As ThreatLabz explains, “YiBackdoor by default has somewhat limited functionality, however, threat actors can deploy additional plugins that expand the malware’s capabilities.”

For now, YiBackdoor appears to be in a testing phase. Researchers observed that “two of the three configuration C2s are local IP addresses, which further supports the argument that YiBackdoor is still in a development or testing phase.”

Despite its limited deployment, the malware’s design and strong ties to IcedID and Latrodectus indicate it could evolve into a major player in the ransomware ecosystem, providing initial access for affiliates.

As Zscaler ThreatLabz concludes, “Based on code similarities observed, we assess with medium to high confidence that there is a connection between the developers of YiBackdoor, IcedID, and Latrodectus.”

Related Posts:

• IcedID Banking Trojan combine with Ursnif/Dreambot for expansion
• LATRODECTUS Malware Loader: Threat Poised to Replace ICEDID
• Watch Out for Latrodectus: New Malware from Suspected IcedID Developers Targeting Businesses
• Latrodectus Malware Evolves: New Payload Features Enhance Evasion and Control
• Over 1,200 Entities Hit by TA571’s Forked IcedID Offensive