YiBackdoor malware activity with limited deployments
Malware Activity
Summary
Hide ▲
Show ▼
The newly disclosed YiBackdoor malware activity matters because the loader has limited deployments but can execute arbitrary commands, collect system information, and support follow-on ransomware access. It shares significant source-code overlap with IcedID and Latrodectus, suggesting related development. The malware also uses svchost.exe injection, the Windows Run key for persistence, and encrypted C2 configuration to receive commands.
Related Happenings
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware Activity
First: 04.02.2026 16:09
Last: 04.02.2026 16:09
Sources 1
About this happening:
**Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware ActivityAbout this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
XCoderTools markets XWorm 6.0 lifetime access on cybercrime forums
Threat Actor Meta
First: 07.10.2025 13:36
Last: 07.10.2025 13:36
Sources 1
About this happening:
**XCoderTools** reemerged on **cybercrime forums** to sell **XWorm 6.0**, showing that the malware ecosystem still has active commercial demand. The build was priced at **$500** f...
XCoderTools markets XWorm 6.0 lifetime access on cybercrime forums
Threat Actor MetaAbout this happening: **XCoderTools** reemerged on **cybercrime forums** to sell **XWorm 6.0**, showing that the malware ecosystem still has active commercial demand. The build was priced at **$500** f...
COLDRIVER BAITSWITCH and SIMPLEFIX ClickFix malware chain
Malware Activity
First: 26.09.2025 15:45
Last: 26.09.2025 15:45
Sources 1
About this happening:
**COLDRIVER** (aka **Star Blizzard/UNC4057/Callisto**) has shifted from **LOSTKEYS** to rapidly changing **NOROBOT/YESROBOT/MAYBEROBOT** tooling in a **ClickFix**-style campaign,...
COLDRIVER BAITSWITCH and SIMPLEFIX ClickFix malware chain
Malware ActivityAbout this happening: **COLDRIVER** (aka **Star Blizzard/UNC4057/Callisto**) has shifted from **LOSTKEYS** to rapidly changing **NOROBOT/YESROBOT/MAYBEROBOT** tooling in a **ClickFix**-style campaign,...
SilentSync delivery via malicious PyPI packages sisaws and secmeasure
Malware Activity
First: 18.09.2025 14:38
Last: 18.09.2025 14:38
Sources 1
About this happening:
Two malicious **PyPI** packages now expand the supply-chain risk for Python developers by delivering the **SilentSync** RAT to **Windows** systems. The packages, **sisaws** and **...
SilentSync delivery via malicious PyPI packages sisaws and secmeasure
Malware ActivityAbout this happening: Two malicious **PyPI** packages now expand the supply-chain risk for Python developers by delivering the **SilentSync** RAT to **Windows** systems. The packages, **sisaws** and **...
Timeline
-
24.09.2025 14:28 2 articles · 8mo ago
YiBackdoor malware disclosure and technical assessment
Initial DisclosureZscaler ThreatLabz identified YiBackdoor, a new malware family first identified in June 2025, and assessed that it shares significant source-code overlap with IcedID and Latrodectus and may come from the same developers. YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and deploy plugins that expand its functionality; it also uses rudimentary anti-analysis techniques, injects into svchost.exe, persists through the Windows Run registry key, and self-deletes after using a registry value tied to regsvr32.exe. Limited deployments suggest the malware is still under development or being tested.
Show sources
- New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28
- New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus — thehackernews.com — 24.09.2025 14:28