Unidentified 111
Latrodectus, also known as Unidentified 111 and BlackWidow, was first documented by Elastic Security Labs in 2024 as a successor or evolution of IcedID. In the provided reporting, an IcedID Stage-1 MSI dropper led to retrieval of a Latrodectus Stage-2 payload. The activity used infrastructure on 45.61.136.30 hosting daily-rotating pseudo-random .top domains observed from December 2025 through March 2026, behavior assessed as consistent with documented Latrodectus DGA patterns. The campaign was described as an active ransomware-precursor threat. The reporting also assessed the likely operator model as malware-as-a-service and attributed the activity with medium-high confidence to TA577- or TA551-aligned operations based on delivery and infrastructure patterns. Related delivery tradecraft in the same activity included KongTuke traffic distribution, and the broader intrusion chain involved IcedID malware using signed MSI installers, WiX custom actions, rundll32 execution, HTTP beaconing, and staged payload retrieval. Historical IcedID-linked activity referenced in the reporting has preceded Conti, REvil, and Quantum ransomware deployments.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.