Latrodectus Malware Infected Over 44,000 IPs Before Operation Endgame Takedown

Latrodectus malware infected over 44,000 IP addresses before Operation Endgame's global takedown, with Shadowserver warning of critical ongoing threats across infected systems.
Latrodectus Malware Infected Over 44,000 IPs Before Operation Endgame Takedown
Table of Contents
    Add a header to begin generating the table of contents

    A recent report has revealed that over 44,000 IP addresses were infected with the Latrodectus malware, a powerful downloader used by threat actors to launch ransomware and banking trojans. The discovery came just ahead of Operation Endgame, a coordinated global law enforcement action targeting major malware delivery infrastructures.

    What Is Latrodectus and Why Is It Dangerous?

    Latrodectus is a Windows-based malware downloader active since at least 2023. It’s used by cybercriminals to install a range of secondary payloads on infected machines. These payloads often include:

    • IcedID, a modular banking trojan designed to steal financial data
    • QakBot, another banking trojan with botnet capabilities
    • Pikabot, a backdoor used for initial system access
    • Other ransomware loaders and infostealers

    Latrodectus is typically delivered via malicious email campaigns. Once inside a system, it communicates with command-and-control (C2) servers, sharing system information and awaiting further instructions. Proofpoint researchers highlight its sandbox evasion techniques, which make it difficult for traditional testing environments to detect.

    “This special report has severity level CRITICAL set on all events.” — Shadowserver Foundation

    Infection Data Collected Between April and May 2025

    The Shadowserver Foundation, a nonprofit cybersecurity group, published a special report documenting infections detected between April 26 and May 20, 2025. According to their analysis:

    • United States: 4,200 infected IPs
    • Germany: 3,500
    • France: 3,200
    • United Kingdom: 2,900
    • Brazil: 2,800
    • Over 2,000 hosts each in Canada, Mexico, Australia, Italy, India, and Spain
    Latrodectus heatmap

    Shadowserver received the data from law enforcement partners involved in Operation Endgame, sharing it with ISPs, network owners, and national CERTs to help remediate infections.

    Operation Endgame Targets Malware Infrastructure Worldwide

    Operation Endgame is a long-term, global law enforcement initiative aimed at dismantling the infrastructure that supports ransomware and other malware campaigns. On May 23, 2025, Europol reported a major milestone:

    • 300 servers seized
    • 650 domains taken down
    • 20 arrest warrants issued
    • Multiple malware strains neutralized, including:
      • Latrodectus
      • Bumblebee
      • QakBot
      • HijackLoader
      • DanaBot
      • Trickbot
      • Warmcookie

    Despite these takedowns, devices previously infected by Latrodectus may still pose a risk. Shadowserver warns that many of the 44,000+ IPs could still be running malicious modules, some of which may continue to exfiltrate data or await new payloads.

    Key Takeaways for Enterprise Security Teams

    • Latrodectus is still a live threat despite the takedown, with many infected machines potentially uncleaned.
    • Its use as a delivery platform for banking trojans and ransomware makes it a critical risk vector.
    • Operation Endgame’s data is now being used to help enterprises and CERTs isolate and clean up infections.

    Enterprises should verify if any of their systems or IP ranges are listed in Shadowserver’s data and take immediate remediation steps if so.

    Related Posts