Threat actors have leveraged Microsoft Azure and Cloudflare lures to facilitate phishing campaigns deploying the Latrodectus malware downloader, also known as IceNova and Unidentified 111, BleepingComputer reports.
Intrusions involved the use of reply-chain phishing emails that would include PDF attachments purporting to be a Microsoft Azure-hosted document or embedded URLs, according to security researcher ProxyLife. Downloading the PDF document would redirect targets to a fraudulent "Cloudflare security check" meant to evade email security scanners that would trigger the download of a document-spoofing JavaScript file, which executes an MSI file that drops Latrodectus as a DLL.
Only the Lumma information-stealing payload and Danabot malware have been distributed by Latrodectus so far but the malware downloader, which was found to be associated with the IcedID malware loader, may be leveraged to enable the deployment of more malicious payloads.
Such a risk should prompt organizations to immediately disconnect systems with devices compromised with Latrodectus.