Cybersecurity researchers have disclosed details of a new malware family dubbed YiBackdoor that has been found to share “significant” source code overlaps with IcedID and Latrodectus.
“The exact connection to YiBackdoor is not yet clear, but it may be used in conjunction with Latrodectus and IcedID during attacks,” Zscaler ThreatLabz said in a Tuesday report. “YiBackdoor is able to execute arbitrary commands, collect system information, capture screenshots, and deploy plugins that dynamically expand the malware’s functionality.”
The cybersecurity company said it first identified the malware in June 2025, adding it may be serving as a precursor to follow-on exploitation, such as facilitating initial access for ransomware attacks. Only limited deployments of YiBackdoor have been detected to date, indicating it’s currently either under development or being tested.
Given the similarities between YiBackdoor, IcedID, and Latrodectus, it’s being assessed with medium to high confidence that the new malware is the work of the same developers who are behind the other two loaders. It’s also worth noting that Latrodectus, in itself, is believed to be a successor of IcedID.
YiBackdoor features rudimentary anti-analysis techniques to evade virtualized and sandboxed environments, while incorporating capabilities to inject the core functionality into the “svchost.exe” process. Persistence on the host is achieved by using the Windows Run registry key.
“YiBackdoor first copies itself (the malware DLL) into a newly created directory under a random name,” the company said. “Next, YiBackdoor adds regsvr32.exe malicious_path in the registry value name (derived using a pseudo-random algorithm) and self-deletes to hinder forensic analysis.”
An embedded encrypted configuration within the malware is used to extract the command-and-control (C2) server, after which it establishes a connection to receive commands in HTTP responses –
- Systeminfo, to collect system metadata
- screen, to take a screenshot
- CMD, to execute a system shell command using cmd.exe
- PWS, to execute a system shell command using PowerShell
- plugin, to pass a command to an existing plugin and transmit the results back to the server
- task, to initialize and execute a new plugin that’s Base64-encoded and encrypted
Zscaler’s analysis of YiBackdoor has uncovered a number of code overlaps between YiBackdoor, IcedID, and Latrodectus, including the code injection method, the format and length of the configuration decryption key, and the decryption routines for the configuration blob and the plugins.
“YiBackdoor by default has somewhat limited functionality, however, threat actors can deploy additional plugins that expand the malware’s capabilities,” Zscaler said. “Given the limited deployment to date, it is likely that threat actors are still developing or testing YiBackdoor.”
New Versions of ZLoader Spotted
The development comes as the cybersecurity firm examined two new versions of ZLoader (aka DELoader, Terdot, or Silent Night) – 2.11.6.0 and 2.13.7.0 – that incorporate further improvements to its code obfuscation, network communications, anti-analysis techniques, and evasion capabilities.
Notable among the changes are LDAP-based network discovery commands that can be leveraged for network discovery and lateral movement, as well as an enhanced DNS-based network protocol that utilizes custom encryption with the option of using WebSockets.
Attacks distributing the malware loader are said to be more precise and targeted, being deployed only against a small number of entities rather than in an indiscriminate fashion.
“ZLoader 2.13.7.0 includes improvements and updates to the custom DNS tunnel protocol for command-and-control (C2) communications, along with added support for WebSockets,” Zscaler said. “ZLoader continues to evolve its anti-analysis strategies, leveraging innovative methods to evade detection.”
