Russian-Speaking Lunar Spider Group Launches New Ransomware Wave with Latrodectus V2 Loader

The NVISO Cyber Security Incident Response Team (CSIRT) has released new findings exposing the latest campaign by Lunar Spider (also known as Gold SwathMore), a Russian-speaking cybercriminal group notorious for its IcedID banking Trojan operations. According to Efstratios Lontzetidis, a member of NVISO’s Threat Intelligence team, the group has shifted gears since the takedown of IcedID in 2024, focusing instead on distributing Latrodectus V2, a sophisticated loader designed to pave the way for ransomware operations.

NVISO reports that “Lunar Spider has expanded its initial access methods by compromising vulnerable websites, particularly in Europe, using Cross-Origin Resource Sharing (CORS) vulnerabilities. These websites are then injected with a FakeCaptcha framework.”

The FakeCaptcha, also referred to as TeleCaptcha, is delivered through an iframe overlay that tricks victims into believing they are completing a CAPTCHA verification. Instead, users are lured into executing malicious PowerShell commands that download an MSI installer. “The infection chain involves an MSI downloader that contains a legitimate executable (EXE) from Intel and a malicious DLL known as Latrodectus.”

The MSI package leverages DLL Search Order Hijacking to sideload Latrodectus V2 while abusing Intel’s signed igfxSDK.exe. As NVISO explains, “The MSI downloader registers the Intel EXE in a Run registry key, ensuring its execution. It then sideloads the Latrodectus DLL by exploiting the DLL Search Order hijacking mechanism.”

Once loaded, Latrodectus communicates with its command-and-control (C2) infrastructure, executing reconnaissance commands and preparing the compromised environment for follow-on attacks.

An alarming aspect of the FakeCaptcha framework is its victim-tracking system. NVISO observed that “this framework includes additional victim monitoring capabilities, tracking clicks and sending them to a Telegram bot channel.”

This feature enables attackers to monitor victim interaction in real time, including operating system details, browser information, and behavioral indicators—streamlining the process of identifying high-value targets.

NVISO emphasizes that Latrodectus is not a standalone malware but part of a broader cybercriminal supply chain. The report highlights that Lunar Spider maintains affiliations with ALPHV/BlackCat and Wizard Spider, both prolific ransomware operators. As Lontzetidis notes, “these malware families now provide initial access to networks, facilitating post-intrusion ransomware deployments by acting as loaders.”

This collaboration allows ransomware affiliates to capitalize on Lunar Spider’s infections, escalating them into full-scale breaches involving data theft and encryption.

The campaign’s infrastructure reveals a sophisticated operation. Lunar Spider relies on compromised WordPress websites for delivery, with payloads and C2 domains often hosted on Cloudflare and AWS. Domains are short, randomized, and typically end with .com.

NVISO has provided hunting queries for both URLScan and Microsoft Defender telemetry, enabling defenders to identify signs of compromise across multiple stages of the infection chain.

Related Posts:

• LUNAR SPIDER Resurfaces: Financial Sector Targeted in Latest Malvertising Campaign
• HelloTDS Unmasked: Covert Traffic System Funnels Millions to FakeCaptcha Malware!
• Latrodectus Malware Evolves: New Payload Features Enhance Evasion and Control
• LATRODECTUS Malware Loader: Threat Poised to Replace ICEDID
• Watch Out for Latrodectus: New Malware from Suspected IcedID Developers Targeting Businesses