New YiBackdoor Malware with Code Overlaps to IcedID and Latrodectus

First reported

24.09.2025 14:28

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A new malware family, YiBackdoor, has been identified. It shares significant code overlaps with IcedID and Latrodectus. YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and deploy plugins. It may be used in conjunction with Latrodectus and IcedID during attacks. YiBackdoor was first detected in June 2025 and is likely under development or testing. YiBackdoor features rudimentary anti-analysis techniques and uses the Windows Run registry key for persistence. It injects its core functionality into the svchost.exe process. The malware's command-and-control (C2) server is extracted from an embedded encrypted configuration, and it supports various commands for system manipulation and plugin management. The malware's limited deployment suggests it is still in development or testing phases.

Timeline

24.09.2025 14:28 1 articles · 5d ago

YiBackdoor Malware Identified with Code Overlaps to IcedID and Latrodectus
A new malware family, YiBackdoor, has been identified. It shares significant code overlaps with IcedID and Latrodectus. YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and deploy plugins. It may be used in conjunction with Latrodectus and IcedID during attacks. YiBackdoor was first detected in June 2025 and is likely under development or testing. YiBackdoor features rudimentary anti-analysis techniques and uses the Windows Run registry key for persistence. It injects its core functionality into the svchost.exe process. The malware's command-and-control (C2) server is extracted from an embedded encrypted configuration, and it supports various commands for system manipulation and plugin management.
Show sources

New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28
Open in new tab

Information Snippets

YiBackdoor shares significant code overlaps with IcedID and Latrodectus, indicating a possible connection to the same developers.
First reported: 24.09.2025 14:28

1 source, 1 article
Show sources
- New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28
YiBackdoor was first identified in June 2025 and is likely under development or testing.
First reported: 24.09.2025 14:28

1 source, 1 article
Show sources
- New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28
YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and deploy plugins.
First reported: 24.09.2025 14:28

1 source, 1 article
Show sources
- New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28
YiBackdoor uses the Windows Run registry key for persistence and injects its core functionality into the svchost.exe process.
First reported: 24.09.2025 14:28

1 source, 1 article
Show sources
- New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28
YiBackdoor employs rudimentary anti-analysis techniques to evade virtualized and sandboxed environments.
First reported: 24.09.2025 14:28

1 source, 1 article
Show sources
- New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28
YiBackdoor's command-and-control (C2) server is extracted from an embedded encrypted configuration.
First reported: 24.09.2025 14:28

1 source, 1 article
Show sources
- New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28
YiBackdoor supports commands for system manipulation, including systeminfo, screen capture, CMD execution, PowerShell execution, plugin management, and task initialization.
First reported: 24.09.2025 14:28

1 source, 1 article
Show sources
- New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28
YiBackdoor's limited deployment indicates it is either under development or being tested.
First reported: 24.09.2025 14:28

1 source, 1 article
Show sources
- New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28

Similar Happenings

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Open in new tab

Summary

Timeline

YiBackdoor Malware Identified with Code Overlaps to IcedID and Latrodectus

Information Snippets

Similar Happenings

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features