Lunar Spider

LUNAR SPIDER, also known as Gold Swathmore, is a Russian-speaking, financially motivated cybercriminal threat actor active since at least 2009. The group is assessed in the provided reporting as being behind the IcedID (BokBot) and Latrodectus malware families, and has continued operating despite law-enforcement disruption and leadership changes. One report states the group was previously led by Vyacheslav Igorevich Penchukov (aliases Tank, Zeus, Zevs, Father, TopBro), who was arrested in Switzerland in September 2022, extradited to the United States, and sentenced in 2024. The content links LUNAR SPIDER to malvertising, SEO poisoning, fake CAPTCHA/ClickFix delivery, and JavaScript-based infection chains. In an October 2024 campaign targeting the financial sector, the group used the heavily obfuscated Latrodectus JavaScript loader to deliver Brute Ratel C4. Victims searching for tax-related content were redirected to malicious JavaScript that downloaded an MSI installer, executed a malicious DLL via rundll32.exe, established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and communicated with attacker-controlled C2 domains. Separate reporting also states LUNAR SPIDER used Telegram on a FakeCaptcha panel to monitor victim clicks and send browser and visitor information through Telegram’s /sendMessage API. The provided content describes LUNAR SPIDER as an initial access broker within the cybercrime ecosystem. Reporting cited here assesses with high confidence that the group resumed operations after Operation Endgame disrupted IcedID infrastructure in May 2024, and that it has significant ties to ransomware operators. The content specifically mentions likely provision of initial access to WIZARD SPIDER, connections to ALPHV/BlackCat affiliates through shared infrastructure, and affiliations with Nemty (TRAVELING SPIDER) and TA2101 (TWISTED SPIDER). The reporting also notes that IcedID was made available to outside threat groups for ransomware campaigns and that Nemty and TA2101 leveraged IcedID for initial access. Infrastructure overlap is a recurring theme in the provided reporting. LUNAR SPIDER activity is described as using shared hosting and providers across IcedID and Latrodectus operations, including SHOCK-1 (ASN 395092), overlapping C2 infrastructure, and recurring SSL certificate issuer patterns such as "AU," "Some-State," and "Internet Widgits Pty Ltd." The content also states that analysts uncovered more than 200 malicious infrastructure elements associated with IcedID and Latrodectus and attributed them to LUNAR SPIDER.