Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus

The Hacker News by The Hacker News
September 24, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Sep 24, 2025Ravie LakshmananMalware / Windows Security

Cybersecurity researchers have disclosed details of a new malware family dubbed YiBackdoor that has been found to share “significant” source code overlaps with IcedID and Latrodectus.

“The exact connection to YiBackdoor is not yet clear, but it may be used in conjunction with Latrodectus and IcedID during attacks,” Zscaler ThreatLabz said in a Tuesday report. “YiBackdoor is able to execute arbitrary commands, collect system information, capture screenshots, and deploy plugins that dynamically expand the malware’s functionality.”

The cybersecurity company said it first identified the malware in June 2025, adding it may be serving as a precursor to follow-on exploitation, such as facilitating initial access for ransomware attacks. Only limited deployments of YiBackdoor have been detected to date, indicating it’s currently either under development or being tested.

DFIR Retainer Services

Given the similarities between YiBackdoor, IcedID, and Latrodectus, it’s being assessed with medium to high confidence that the new malware is the work of the same developers who are behind the other two loaders. It’s also worth noting that Latrodectus, in itself, is believed to be a successor of IcedID.

YiBackdoor features rudimentary anti-analysis techniques to evade virtualized and sandboxed environments, while incorporating capabilities to inject the core functionality into the “svchost.exe” process. Persistence on the host is achieved by using the Windows Run registry key.

“YiBackdoor first copies itself (the malware DLL) into a newly created directory under a random name,” the company said. “Next, YiBackdoor adds regsvr32.exe malicious_path in the registry value name (derived using a pseudo-random algorithm) and self-deletes to hinder forensic analysis.”

An embedded encrypted configuration within the malware is used to extract the command-and-control (C2) server, after which it establishes a connection to receive commands in HTTP responses –

  • Systeminfo, to collect system metadata
  • screen, to take a screenshot
  • CMD, to execute a system shell command using cmd.exe
  • PWS, to execute a system shell command using PowerShell
  • plugin, to pass a command to an existing plugin and transmit the results back to the server
  • task, to initialize and execute a new plugin that’s Base64-encoded and encrypted

Zscaler’s analysis of YiBackdoor has uncovered a number of code overlaps between YiBackdoor, IcedID, and Latrodectus, including the code injection method, the format and length of the configuration decryption key, and the decryption routines for the configuration blob and the plugins.

“YiBackdoor by default has somewhat limited functionality, however, threat actors can deploy additional plugins that expand the malware’s capabilities,” Zscaler said. “Given the limited deployment to date, it is likely that threat actors are still developing or testing YiBackdoor.”

New Versions of ZLoader Spotted

The development comes as the cybersecurity firm examined two new versions of ZLoader (aka DELoader, Terdot, or Silent Night) – 2.11.6.0 and 2.13.7.0 – that incorporate further improvements to its code obfuscation, network communications, anti-analysis techniques, and evasion capabilities.

CIS Build Kits

Notable among the changes are LDAP-based network discovery commands that can be leveraged for network discovery and lateral movement, as well as an enhanced DNS-based network protocol that utilizes custom encryption with the option of using WebSockets.

Attacks distributing the malware loader are said to be more precise and targeted, being deployed only against a small number of entities rather than in an indiscriminate fashion.

“ZLoader 2.13.7.0 includes improvements and updates to the custom DNS tunnel protocol for command-and-control (C2) communications, along with added support for WebSockets,” Zscaler said. “ZLoader continues to evolve its anti-analysis strategies, leveraging innovative methods to evade detection.”



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
NCA arrests man following cyber attack that disrupted air travel | Computer Weekly

NCA arrests man following cyber attack that disrupted air travel | Computer Weekly

Recommended.

INE Security Partners with Abadnet Institute for Cybersecurity Training Programs in Saudi Arabia

INE Security Partners with Abadnet Institute for Cybersecurity Training Programs in Saudi Arabia

May 22, 2025
CISA Adds Gladinet and CWP Flaws to KEV Catalog Amid Active Exploitation Evidence

CISA Adds Gladinet and CWP Flaws to KEV Catalog Amid Active Exploitation Evidence

November 5, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio