Cybersecurity researchers have revealed details about a new family of malware called eyebackdoors, and have found that “critical” source code overlaps with Iced and Latrodectus.
“The exact connection to Yibackdoor is not yet clear, but it can be used in conjunction with Latrodectus or IcedID during an attack,” Zscaler Threatlabz said in a report Tuesday. “Yibackdoor can run any command, collect system information, capture screenshots, and deploy plugins that dynamically extend the functionality of malware.”
The cybersecurity company first identified malware in June 2025, adding that it could serve as a precursor to the following exploitation, including promoting initial access to ransomware attacks. To date, only a limited deployment of Yibackdoor has been detected, indicating that it is currently under development or tested.
Given the similarities between Yibackdoor, IcedID, and Latrodectus, it is rated with moderate to high confidence that the new malware is the job of the same developer behind the other two loaders. It is also worth noting that Latrodectus itself is considered to be the successor to Iced.
Yibackdoor features rudimentary anti-analysis techniques to avoid virtualized and sandboxed environments, and incorporates the ability to inject core functionality into the “svChost.exe” process. Host persistence is achieved through the use of Windows Run registry keys.
“Yibackdoor first copies itself (the malware DLL) into a newly created directory with a random name,” the company said. “Yibackdoor then adds the registry value name (derived using a pseudo-random algorithm) and regsvr32.exe malicious_path to the autoimmunity, preventing forensic analysis.”
Embedded encrypted configuration within the malware is used to extract command and control (C2) servers and then establish a connection that receives commands in an HTTP response –
SystemInfo, collects system metadata screens, retrieves screenshot CMD, executes system shell commands using CMD.exe PWS, executes system shell commands using PowerShell plugin, pass commands to existing plugin, sends results to server tasks, and initialize and run new plugins with base 64 encoding and concepts.
Analyses of Yibackdoor in Zscaler revealed many code overlaps between Yibackdoor, IcedID, and Latrodectus, including code injection methods, the format and length of the configuration decryption key.
“By default, Yibackdoor features are somewhat limited, but threat actors can deploy additional plugins that extend the capabilities of malware,” Zscaler said. “Given the limited deployments so far, it’s possible that threat actors are still developing or testing Yibackdoor.”
A new version of Zloader has been discovered
It happens when a cybersecurity company investigates two newer versions of Zloader (DeLoader, Terdot, or Silent Night) (2.11.6.0 and 2.13.7.0). This incorporates further improvements to code utilization, network communications, anti-analytics technology, and investment capabilities.
Of note among the changes are LDAP-based network discovery commands that can be utilized for network discovery and lateral movement, and an enhanced DNS-based network protocol that utilizes custom encryption with options using WebSocket.
Attacks that distribute malware loaders are said to be more accurate and targeted, and are deployed only against a small number of entities rather than indiscriminate ways.
“Zloader 2.13.7.0 includes improvements and updates to the custom DNS tunnel protocol for Command-and-Control (C2) communications, and adds support for WebSocket,” Zscaler said. “Zloader continues to evolve its anti-analytics strategy and leverages innovative ways to avoid detection.”
Source link
