TA578 | Threat Actor Profile

A financially motivated initial access broker best known as the primary distributor of Latrodectus — a sophisticated downloader created by the same developers behind IcedID, which TA578 adopted almost exclusively from January 2024. The group's signature delivery tactic is impersonating companies sending legal threats for alleged copyright infringement: an operator fills out a target organization's website contact form with a unique URL crafted to include both the target's own domain and the impersonated company name, which — when clicked — redirects to a personalized landing page before serving a JavaScript payload that installs the Latrodectus DLL via WebDAV-hosted MSI. Active since at least May 2020, TA578 previously distributed Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee before transitioning exclusively to Latrodectus.

classificationInitial Access Broker (IAB) — financially motivated

active sinceAt least May 2020 (Proofpoint)

current payloadLatrodectus (exclusive since mid-Jan 2024)

signature lureCopyright infringement legal threat via website contact form

latrodectus developersLunar Spider — assessed as IcedID developers (Proofpoint + Team Cymru)

first latrodectus useDecember 15, 2023 (via DanaBot infection)

primary targetsNorth America and Europe — all industries, no sector restriction

follow-on payloadsLumma Stealer, DanaBot, Cobalt Strike; access sold to ransomware operators

c2 infrastructureLatrodectus T2 servers connected to historic IcedID backend; shared jump boxes

Overview

TA578 is an initial access broker operating within the criminal ecosystem that surrounds IcedID's successor tooling. Its role is to compromise enterprise endpoints at scale through email-based campaigns, then monetize that access either by deploying information stealers directly or selling network footholds to downstream ransomware operators. The transition to Latrodectus in late 2023 was a natural progression: TA578 had deep operational familiarity with IcedID and the developer infrastructure behind it, and Latrodectus represents the same developer group's next-generation loader with improved sandbox evasion and modular command capabilities.

Proofpoint first documented Latrodectus in November 2023, noting it was initially deployed by TA577 (a separate IAB, formerly a prolific QakBot distributor) in three campaigns before TA577 reverted to Pikabot. From mid-January 2024, Latrodectus became almost exclusively associated with TA578. The group's first Latrodectus delivery was observed December 15, 2023 — via a DanaBot infection rather than a direct email campaign — establishing TA578 as the operator before the copyright infringement lure campaigns made the group's methodology visible at scale.

The copyright infringement contact form technique is TA578's most recognizable and analytically distinctive operational pattern. Rather than sending bulk phishing email, an operator visits a target organization's website, locates its contact form, and submits a message claiming that the target is using copyrighted images or content without permission. The submitted message contains a URL with both the target's own domain name and the name of the impersonated company embedded in the URI — personalizing the link in a way that makes the alleged complaint appear specific and credible. If a recipient clicks the link, they reach a landing page that displays both their organization's name and the impersonated company name as the complainant — a high-sophistication social engineering step designed to make the interaction feel like a legitimate legal interaction. The page then downloads a JavaScript file (hosted on Google Firebase in the February 2024 campaign), which when executed calls msiexec.exe to fetch and run an MSI from a remote WebDAV share. The MSI executes the bundled Latrodectus DLL with the export "fin."

The deliberate personalization — embedding the target's own domain in the URL, generating a landing page specific to both the target and impersonated company — separates this approach from generic bulk phishing. The legal threat framing leverages a real concern that website owners have (copyright infringement notices do arrive legitimately, and many companies take them seriously enough to investigate) and creates a pretext for a recipient to visit an external URL without the immediate suspicion that an unsolicited invoice or prize notification would trigger.

Payload History — From IcedID Ecosystem to Latrodectus

TA578's payload progression maps the evolution of the IcedID-adjacent criminal ecosystem across five years of documented activity.

2020–2021

Ursnif / IcedID / KPOT Stealer

Early TA578 campaigns distributed Ursnif (a banking trojan) and IcedID as primary initial access payloads alongside KPOT Stealer. The group's relationship with IcedID from this period establishes the operational familiarity that would later enable a smooth transition to the IcedID developers' successor tool.

2021–2022

Buer Loader / BazaLoader / Cobalt Strike

TA578 expanded its toolkit to include Buer Loader and BazaLoader — loaders designed for enterprise network access and subsequent Cobalt Strike deployment. This phase reflects the group's positioning as an enterprise-focused IAB providing post-exploitation access rather than commodity credential theft.

2022–2023

Bumblebee / IcedID

Bumblebee emerged as a successor to BazaLoader and became a TA578 staple. IcedID continued to be deployed alongside Bumblebee. Both payloads were heavily distributed before major law enforcement disruption operations began to pressure the ecosystem — Qbot's August 2023 takedown and Operation Endgame (May 2024) eliminated several key malware families and drove IABs toward Latrodectus.

Dec 2023–present

Latrodectus (exclusive)

First delivered December 15, 2023 via DanaBot. From mid-January 2024, TA578 adopted Latrodectus exclusively. Assessed by Proofpoint and Team Cymru as created by the IcedID developers, Latrodectus shares C2 infrastructure with historic IcedID operations and uses the same jump box infrastructure. Version 1.4 (July 2024) added new obfuscation and Brute Ratel C4 integration. Follow-on payloads observed via Latrodectus: Lumma Stealer (Unit 42, March 2024), DanaBot, Cobalt Strike.

Attack Chain — Copyright Infringement Lure (2024)

The February–March 2024 contact form campaign represents TA578's most documented and operationally distinctive delivery methodology.

contact form copyright lure → latrodectus (feb 2024 variant)

Stage 1

Contact Form Submission

Operator visits target organization's website and fills out the contact/support form. Message claims the target is using copyrighted images or content without authorization. Message includes a unique URL with both the target's domain and the impersonated company name embedded in the URI path. Appears as a legitimate legal notice specific to the target organization.

Stage 2

Personalized Landing Page

If the recipient clicks the URL, they are redirected to a landing page that displays both their own organization's domain name and the name of the impersonated complainant company. The URL then initiates a download of a JavaScript file hosted on Google Firebase. The personalization of the landing page to the specific target increases perceived legitimacy and reduces suspicion.

Stage 3

JavaScript Execution

The JavaScript file is served from a Google Firebase URL. If executed by the user, the JavaScript calls msiexec.exe to download and execute an MSI package from a remote WebDAV share. Some campaign variants use heavily obfuscated JavaScript with embedded functions that extract and execute a downloader for an MSI from a hardcoded URL. The JavaScript execution step requires user action — reducing accidental infections and targeting users more likely to investigate the copyright claim.

Stage 4

MSI / WebDAV → Latrodectus DLL

The MSI retrieved from the WebDAV share contains a bundled Latrodectus DLL. The MSI executes the DLL with the export "fin" — running the Latrodectus downloader. Latrodectus performs sandbox evasion checks, resolves Windows API functions dynamically by hash, checks for existing infection instances and active debuggers, then installs itself, sets an AutoRun persistence key, and creates a scheduled task.

Stage 5

C2 Registration + Follow-On Payloads

Latrodectus posts encrypted system information to the C2 server and requests the bot component download. Once the bot registers, it requests commands. Commands enable: file and process enumeration, binary and DLL execution, arbitrary cmd.exe commands, bot updates, process termination. C2 infrastructure connects to Tier 2 servers that maintain links to historic IcedID backend infrastructure and IcedID-associated jump boxes. Follow-on payloads observed: Lumma Stealer, DanaBot, Cobalt Strike. Access to enterprise environments typically sold downstream to ransomware affiliates.

Latrodectus — The IcedID Successor

Understanding TA578's current operational posture requires understanding Latrodectus's place in the criminal ecosystem. Latrodectus (also tracked as BlackWidow, IceNova, Lotus, and Unidentified 111) was first identified by Walmart researchers during an investigation into IcedID in October 2023. Proofpoint and Team Cymru's April 2024 joint report confirmed it as a distinct malware family likely created by the same developers as IcedID — the Lunar Spider group.

IcedID developer connection: Latrodectus C2 Tier 2 servers maintain connections with backend infrastructure associated with IcedID. The same specific jump boxes previously associated with IcedID operations are used. Campaign ID patterns in Latrodectus samples, decoded via string hashing techniques, revealed new patterns in previous IcedID campaigns when cross-referenced — providing bidirectional linking evidence. In February 2024, one of the leaders behind the IcedID operation pleaded guilty in US federal court, facing 40 years of imprisonment. Latrodectus represents the successor toolset developed as the IcedID operation faced increasing legal pressure.
Technical capabilities: Latrodectus dynamically resolves Windows API functions by hash — preventing static analysis from enumerating its capabilities based on import tables. It checks for debugger presence before executing (anti-analysis). It checks running processes and gathers OS information (system profiling). It verifies no existing Latrodectus infection is running before installing (coordination signal for operators). Persistence is established via AutoRun registry key and a scheduled task. C2 communication uses encrypted POST requests with concatenated HTTP parameters, consistent with IcedID's C2 protocol design.
Operation Endgame impact and resilience: Operation Endgame in May 2024 — an international law enforcement operation that dismantled IcedID, SystemBC, Pikabot, and other major malware families — temporarily suppressed Latrodectus activity. The malware resurfaced in June 2024 using a new delivery vector: SEO poisoning on a fake IRS website. Version 1.4 (July 2024) added new obfuscation techniques, Brute Ratel C4 integration, and new backdoor commands, indicating continued development. Proofpoint assesses Latrodectus will continue to expand across the threat actor landscape, particularly among actors who previously distributed IcedID.

Tactics, Techniques & Procedures

mitre id	technique	description
T1566.003	Phishing via Service — Contact Form Submission	TA578's distinctive initial access technique: using a target organization's own website contact/support form to deliver a malicious URL. The contact form is a legitimate communication channel that bypasses email security gateways — the malicious message arrives via the organization's own web infrastructure, not as an email from an external domain. The copyright infringement framing provides a credible pretext that recipients in legal, compliance, or communications roles may feel compelled to investigate. The personalized URL embedding the target's domain in the URI path further increases credibility.
T1027 / T1566.002	Personalized URL and Dynamic Landing Page Social Engineering	The URL embedded in the contact form message contains the target's domain and the impersonated company name as URI components. When visited, it renders a landing page that dynamically displays both organizations by name — making the page appear to be a specific, targeted complaint rather than a generic phishing page. The use of Google Firebase to host the JavaScript file provides additional legitimacy through a trusted CDN domain. This social engineering construction is more labor-intensive than bulk phishing but significantly more effective against technically alert recipients who inspect URLs and landing pages for authenticity.
T1059.007 / T1218.007	JavaScript Downloader → MSI Execution via msiexec	The JavaScript payload, when executed by the user, calls msiexec.exe — a legitimate Windows Installer binary — to retrieve and execute an MSI package from a remote WebDAV share. Using msiexec for payload delivery abuses a trusted Windows binary (LOLBin technique) and leverages the MSI installation infrastructure, which many enterprise environments have reduced detection coverage for compared to direct executable downloads. The MSI contains the Latrodectus DLL invoked with the export "fin" — a specific export name that serves as a version or campaign identifier in Latrodectus deployments.
T1027.007	Latrodectus Dynamic API Resolution and Anti-Analysis	Latrodectus resolves Windows API functions dynamically using hash-based lookup — querying the Process Environment Block (PEB) to resolve kernel32.dll and ntdll.dll, then computing CRC32 checksums of DLL filenames in the Windows system directory to locate and load user32.dll and wininet.dll. This prevents static analysis tools from identifying imported functions. Before loading, Latrodectus checks for debugger presence (IsDebuggerPresent and similar), gathers OS information, checks running processes, and verifies no existing Latrodectus infection is present. These checks collectively prevent analysis in sandboxes and avoid double-infection of already-compromised endpoints.
T1547.001 / T1053.005	Persistence — AutoRun Registry Key and Scheduled Task	Latrodectus establishes two persistence mechanisms: an AutoRun registry key and a scheduled task. The dual persistence ensures the loader survives both standard startup and scheduled execution scenarios. The scheduled task is configured to maintain the loader's presence across reboots independently of the registry key, providing redundancy if one persistence mechanism is removed during incident response. The C2 registration cycle — posting encrypted system information, downloading the bot component, then polling for commands — begins after persistence is established.
T1041 / T1071.001	Encrypted C2 Communication — IcedID-Style POST Protocol	Latrodectus posts encrypted system registration information to the C2 in a format directly mirroring IcedID's communication protocol — concatenated HTTP parameters encrypted before transmission. This design choice provides operational consistency for operators who previously managed IcedID infections. The Tier 2 C2 servers maintain upstream connections to backend infrastructure previously associated with IcedID operations, and the same jump boxes used in IcedID campaigns appear in Latrodectus infrastructure — providing the strongest evidence of developer continuity between the two malware families.

Indicators of Compromise

ioc note

Latrodectus C2 infrastructure rotates frequently. The Suricata rules published by Proofpoint (ET rules 2048735 and 2049231) are the most durable detection mechanism for active Latrodectus network communication. Pulsedive maintains a continuously updated dataset of 250+ Latrodectus network IOCs queryable via "threat=Latrodectus". Static file hashes for specific campaign MSI and DLL payloads are available in Proofpoint's April 2024 disclosure and subsequent campaign reporting. The msiexec.exe → WebDAV connection pattern (msiexec loading an MSI from a UNC path to an external WebDAV share) is a high-signal behavioral detection indicator that applies across campaign variants.

indicators of compromise — key technical identifiers

ET rule — Latrodectus C2 2048735 — ET MALWARE Latrodectus Loader Related Activity (POST)

ET rule — Latrodectus alive 2049231 — ET MALWARE Latrodectus Alive Request (GET)

DLL export name "fin" — Latrodectus DLL export used to invoke the loader via MSI (campaign identifier / version marker)

msiexec WebDAV pattern msiexec.exe executing MSI from UNC path (\\[external IP]\share\*.msi) — process creation of msiexec with remote WebDAV source is high-confidence behavioral indicator

JS host (Feb 2024) Google Firebase URL — JavaScript payload served from firebase.googleapis.com or firebasestorage.googleapis.com in Feb 2024 campaign; Firebase-hosted JS executing msiexec is anomalous in enterprise context

persistence artifacts HKCU\Software\Microsoft\Windows\CurrentVersion\Run — AutoRun key; scheduled task created post-install; check both mechanisms when investigating suspected Latrodectus infections

C2 T2 infrastructure T2 servers active from approximately September 18, 2023; T2 upstream server established August 2023; T2 connects to IcedID backend infrastructure — pivot IcedID historical IOCs to discover Latrodectus T2 overlap

url lure pattern Contact form message URLs contain target's own domain + impersonated company name in URI path — format: [delivery domain]/[target domain]/[impersonated company]/ or similar construction

pulsedive ioc set query: threat=Latrodectus — 250+ network IOCs, continuously updated; STIX 2.1, JSON, CSV export available

full ioc reference Proofpoint — "Latrodectus: Spider Bytes of Ice" (Apr 2024); Team Cymru shared infrastructure analysis; Elastic Security Labs — "Spring Cleaning with Latrodectus" (Apr 2024)

Mitigation & Defense

Monitor and Alert on msiexec Executing Remote WebDAV MSIs: The Latrodectus delivery chain requires msiexec.exe to fetch and execute an MSI from a remote WebDAV share via UNC path. This is anomalous in most enterprise environments — msiexec should be running from local or network share paths established by IT administration, not from external WebDAV servers on non-standard IP addresses. Configure EDR and SIEM rules to alert on msiexec.exe spawning with a command line containing UNC paths pointing to external IP addresses (\\[IP]\). This behavioral indicator applies across TA578 campaign variants regardless of JavaScript obfuscation changes.
Block or Alert on JavaScript File Execution from User Download Paths: The attack chain requires a user to execute a JavaScript (.js) file downloaded from a web browser session. Windows Script Host (wscript.exe and cscript.exe) execution of .js files from common download directories (Desktop, Downloads, Temp) should generate an alert. Consider deploying Software Restriction Policies or AppLocker rules blocking Windows Script Host execution of scripts sourced from user-writable paths. This control breaks the delivery chain before msiexec is invoked.
Train Staff on Copyright Infringement Contact Form Lures: The copyright infringement contact form technique is highly targeted at legal, compliance, communications, and executive assistant roles — individuals who handle or escalate legal correspondence. Security awareness training should specifically address this scenario: organizations receive contact form submissions claiming copyright infringement containing external links. Employees should understand that legitimate copyright complaints arrive via email from legal representatives, not via embedded contact form links directing to unfamiliar websites. The appropriate response to a copyright complaint received via contact form is to forward it to legal counsel, not to visit the embedded link.
Implement Contact Form Spam Controls and Logging: Contact forms on public-facing websites should implement CAPTCHA and rate limiting to reduce the ability of operators to submit copyright lure messages at volume. More importantly, log all contact form submissions at the web server or application level. If a security incident is later traced to a Latrodectus infection, contact form submission logs can identify the specific message and timing, enabling faster root cause analysis. SOC teams should periodically review contact form submission patterns for unusual volumes from single IP addresses or messages containing suspicious URLs.
Deploy Latrodectus-Specific Network Detection: Proofpoint's Emerging Threats rules (ET 2048735 for C2 POST activity; ET 2049231 for alive/beacon requests) provide signature-based network detection for active Latrodectus C2 communication. These rules should be enabled in any IDS/IPS deployment. Network monitoring should additionally cover outbound msiexec connections to WebDAV shares and unusual POST request patterns from recently installed DLLs. Latrodectus's C2 communication mirrors IcedID's encrypted HTTP POST protocol — existing IcedID network detection content may have partial applicability.
Review Legacy IcedID Infrastructure Blocklists for Latrodectus Overlap: Latrodectus C2 Tier 2 servers maintain connections with backend infrastructure previously associated with IcedID, and the same jump boxes are used. Security teams that maintain historical IcedID C2 blocklists or have IcedID-attributed infrastructure in their threat intelligence feeds should cross-reference those against observed Latrodectus C2 addresses. The infrastructure reuse provides detection leverage: organizations that blocked IcedID C2 communication may have pre-existing controls that partially cover Latrodectus T2 infrastructure.

analyst note

TA578's copyright infringement contact form technique is worth examining in some depth because it represents a social engineering refinement that addresses a specific gap in enterprise security awareness. Standard phishing awareness training teaches employees to treat unexpected email from external senders with caution. The contact form technique bypasses this heuristic in two ways: first, the initial message arrives via the organization's own internal contact form notification — it looks like an inbound inquiry from the company website, not an unsolicited external email. Second, the legal framing (copyright infringement complaint) creates a perceived obligation to investigate that overrides the normal instinct to discard suspicious messages. Employees who are otherwise phishing-aware may act on a copyright complaint because ignoring it feels legally risky. The landing page personalization — displaying the target's own domain name and the impersonated company name — adds a third layer: the page confirms the specificity of the complaint, reinforcing the impression that this is a real, targeted legal notice rather than a generic phishing attempt. Organizations in Latrodectus's primary target geography (North America, Europe) should incorporate this specific social engineering scenario into security awareness training, and legal and compliance teams — who are the most likely recipients of copyright complaints — should receive specific guidance on the appropriate escalation path that does not involve clicking embedded URLs.

Sources & Further Reading

— end of profile