Cybersecurity researchers have disclosed details of a new malware family dubbed YiBackdoor that has been found to share “significant” source code overlaps with IcedID and Latrodectus.
“The exact connection to YiBackdoor is not yet clear, but it may be used in conjunction with Latrodectus and IcedID during attacks,” Zscaler ThreatLabz said in a Tuesday report. “YiBackdoor is able to execute arbitrary commands, collect system information, capture screenshots, and deploy plugins that dynamically expand the malware’s functionality.”
The cybersecurity company said it first identified the malware in June 2025, adding it may be serving as a precursor to follow-on exploitation, such as facilitating initial access for ransomware attacks. Only limited deployments of YiBackdoor have been detected to date, indicating it’s currently either under development or being tested.
Given the similarities between YiBackdoor, IcedID, and Latrodectus, it’s being assessed with medium to high confidence that the new malware is the work of the same developers who are behind the other two loaders. It’s also worth noting that Latrodectus, in itself, is believed to be a successor of IcedID.
YiBackdoor features rudimentary anti-analysis techniques to evade virtualized and sandboxed environments, while incorporating capabilities to inject the core functionality into the “svchost.exe” process. Persistence on the host is achieved by using the Windows Run registry key.
“YiBackdoor first copies itself (the malware DLL) into a newly created directory under a random name,” the company said. “Next, YiBackdoor adds regsvr32.exe malicious_path in the registry value name (derived using a pseudo-random algorithm) and self-deletes to hinder forensic analysis.”
An embedded encrypted configuration within the malware is used to extract the command-and-control (C2) server, after which it establishes a connection to receive commands in HTTP responses –
- Systeminfo, to collect system metadata
- screen, to take a screenshot
- CMD, to execute a system shell command using cmd.exe
- PWS, to execute a system shell command using PowerShell
- plugin, to pass a command to an existing plugin and transmit the results back to the server
- task, to initialize and execute a new plugin that’s Base64-encoded and encrypted
Zscaler’s analysis of YiBackdoor has uncovered a number of code overlaps between YiBackdoor, IcedID, and Latrodectus, including the code injection method, the format and length of the configuration decryption key, and the decryption routines for the configuration blob and the plugins.
“YiBackdoor by default has somewhat limited functionality, however, threat actors can deploy additional plugins that expand the malware’s capabilities,” Zscaler said. “Given the limited deployment to date, it is likely that threat actors are still developing or testing YiBackdoor.”
New Versions of ZLoader Spotted
The development comes as the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
