CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

YiBackdoor malware linked to IcedID and Latrodectus

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

A new malware family, YiBackdoor, has been identified with significant code overlaps with IcedID and Latrodectus. This malware can execute arbitrary commands, collect system information, capture screenshots, and deploy plugins. It was first detected in June 2025 and may be used as a precursor to ransomware attacks. Limited deployments suggest it is under development or testing. YiBackdoor employs rudimentary anti-analysis techniques and injects its core functionality into the svchost.exe process. It achieves persistence through the Windows Run registry key and uses an embedded encrypted configuration to establish command-and-control (C2) communication. YiBackdoor's capabilities include system metadata collection, screenshot capture, command execution via cmd.exe and PowerShell, and plugin management. The malware's limited functionality can be expanded through additional plugins.

Timeline

  1. 24.09.2025 14:28 πŸ“° 1 articles Β· ⏱ 3h ago

    YiBackdoor malware linked to IcedID and Latrodectus

    A new malware family, YiBackdoor, has been identified with significant code overlaps with IcedID and Latrodectus. This malware can execute arbitrary commands, collect system information, capture screenshots, and deploy plugins. It was first detected in June 2025 and may be used as a precursor to ransomware attacks. Limited deployments suggest it is under development or testing. YiBackdoor employs rudimentary anti-analysis techniques and injects its core functionality into the svchost.exe process. It achieves persistence through the Windows Run registry key and uses an embedded encrypted configuration to establish command-and-control (C2) communication. YiBackdoor's capabilities include system metadata collection, screenshot capture, command execution via cmd.exe and PowerShell, and plugin management. The malware's limited functionality can be expanded through additional plugins.

    Show sources

Information Snippets