YiBackdoor Malware Linked to IcedID and Latrodectus as ZLoader Evolves with Advanced Evasion
Researchers at Zscaler have discovered a new malware family, known as YiBackdoor, that exhibits significant code overlaps with the loaders IcedID and Latrodectus. YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and deploy modular plugins to extend its functionality. It achieves persistence by adding entries to the Windows Run registry key, and injects into the svchost[.]exe process, and employs rudimentary anti-analysis techniques to evade sandbox detection. Its configuration is embedded and encrypted, containing the C2 address used to issue commands via shell execution through cmd.exe or PowerShell, as well as plugin management and task creation. Researchers assess with medium to high confidence that YiBackdoor was developed by the same actors behind IcedID and Latrodectus, both of which are widely used in ransomware operations. Limited deployments so far suggest that YiBackdoor is either in active testing or still under development; however, its potential as a precursor to larger intrusions is significant. In addition to YiBackdoor, researchers identified new versions of ZLoader, specifically 2.11.6.0 and 2.13.7.0, which showcase notable advances in obfuscation, anti-analysis techniques, and network communication. These upgrades include LDAP-based commands for network discovery and lateral movement, as well as enhancements to its DNS tunneling protocol that now support custom encryption and optional WebSockets for C2 traffic. Recent campaigns distributing ZLoader have been highly targeted, indicating a deliberate focus on select victims rather than indiscriminate spread. Together, YiBackdoor and ZLoader demonstrate the continuing evolution of modular malware designed to bypass detection and facilitate post-compromise activity. Mitigation requires proactive endpoint monitoring, auditing of registry and process injection activity, and network defenses capable of identifying abnormal DNS or WebSocket communications to prevent attackers from exploiting these tools undetected.
ShadowV2 Botnet Infects AWS Docker Containers to Launch DDoS Campaign
Researchers have uncovered ShadowV2, a Python-based botnet that blends traditional malware techniques with modern DevOps tooling to deliver DDoS-as-a-Service operations. The campaign leverages GitHub CodeSpaces to host its C2 framework, deploying through exposed Docker daemons on AWS EC2 instances. Initial compromise is achieved using Python Docker SDK requests, after which attackers spin up blank Ubuntu containers that install a Go-based RAT and DDoS binaries. The malware persists through heartbeat and polling loops, maintaining active connections with its C2 via RESTful APIs. Its capabilities include large-scale HTTP floods, HTTP/2 rapid reset attacks, and attempts to bypass Cloudflare protections using bundled headless Chrome. Evidence from Darktrace honeypots suggests attackers are testing ShadowV2 in controlled environments while refining its container-based deployment and stealthy operational design. ShadowV2 distinguishes itself by mirroring legitimate cloud-native applications, featuring a polished operator interface, OpenAPI specifications, and multi-tenant capabilities that position it as a commercialized DDoS-for-hire service. Its architecture demonstrates how containerization and cloud-native platforms can be weaponized for scale, resilience, and ease of use, reframing botnets as modular, service-oriented threats. By exploiting HTTP/2 multiplexing, ShadowV2 significantly amplifies attack throughput, while features such as randomized headers and query strings further complicate detection. The malware’s REST API enables attackers to manage zombie hosts, initiate targeted attacks, and handle access privileges in a structured manner, reinforcing the platform’s sophistication. Mitigation requires strict hardening of Docker APIs, continuous monitoring of container behavior, network traffic analysis to detect HTTP/2 anomalies, and the integration of behavioral analytics to spot unusual orchestration or API usage before ShadowV2 or similar platforms can escalate attacks.
Banking Trojans Targeting Android Users Disguise as Government and Trusted Payment Apps
Researchers have identified a coordinated campaign targeting Android users with banking trojans disguised as official government identity and payment applications. The campaign uses sophisticated spoofed Google Play Store pages that employ WebSocket-based download mechanisms to bypass security filters. These sites simulate legitimate app downloads by streaming malicious APK files in chunks, reassembling them in the browser, and programmatically triggering the file prompt. The primary payload identified is a variant of BankBot[.]Remo, a trojan first seen after its source code leaked in 2016, remains widely used to steal credentials. Alongside these advanced methods, attackers also host fake tax payment and banking applications on template-based spoofed sites, reusing code snippets with multiple regional language strings but little localization. Researchers uncovered open directories containing dozens of malicious APKs masquerading as trusted apps, including BCA, Livin, and OCBC, all of which were configured to contact C2 servers tied to the same infrastructure. Analysis of more than 100 related domains revealed consistent operational patterns that highlight the group’s regional footprint. Most of the infrastructure relied on Alibaba ISP, Gname[.]com Pte. Ltd. as the registrar, and share-dns[.]net or Cloudflare for nameservers, with reused TLS certificates and IP overlaps across clusters of domains. The campaign’s registration and resolution timelines consistently lagged by about 10.5 hours, with peaks during the daytime hours of UTC+7 to UTC+9, suggesting that local operators focused on Southeast Asia. The attackers’ blending of advanced obfuscation through WebSocket chunked delivery with mass-scale spoofing underscores the evolving threat to mobile users in regions with high mobile payment adoption. Mitigation requires blocking known C2 domains, monitoring for suspicious WebSocket traffic, auditing DNS activity for malicious infrastructure, and strengthening user awareness campaigns to ensure downloads are only made from verified app stores.
