More phishing campaigns have been leveraging the Latrodectus malware loader since March, with the loader updated with more extensive enumeration and execution capabilities, as well as self-delete functionality, according to The Hacker News.
Operators have also bolstered Latrodectus to support IcedID, downloading and execution from the command-and-control server, indicating a possible agreement with IcedID, an Elastic Security Labs report showed.
"One hypothesis being considered is that LATRODECTUS is being actively developed as a replacement for IcedID, and the handler ([command ID] #18) was included until malware authors were satisfied with Latrodectus' capabilities," said researchers.
Such a development follows a Proofpoint report detailing the emergence of an updated Tycoon phishing-as-a-service platform with Microsoft 365 and Gmail session cookie exfiltration and more advanced evasion capabilities, including dynamic code generation and source code obfuscation techniques.
"Significant alterations to the kit's JavaScript and HTML code have been implemented to increase its stealthiness and effectiveness," said Proofpoint.