EXECUTIVE SUMMARY:
Lunar Spider has expanded a web-based infection chain that compromises vulnerable websites to deliver a multi-stage loader aimed at gaining persistent access to victim networks. The campaign uses an on-site FakeCaptcha overlay to trick visitors and harvest interaction data while ultimately delivering a Windows installer that stages a malicious loader known as Latrodectus V2.
The compromise begins with exploitation of improperly configured Cross-Origin Resource Sharing (CORS) on third-party sites, allowing the actor to insert a malicious JavaScript snippet. That script builds a registry object and verifies loader availability via HEAD requests with an image fallback; it then creates a fullscreen iframe that loads a FakeCaptcha page and can relay clipboard or copy actions back to the page. The FakeCaptcha invokes a PowerShell command to fetch an MSI. The MSI contains a legitimate Intel executable that is registered in a Run key and is used to sideload a malicious DLL via DLL search-order hijacking. Once executed, Latrodectus connects to a command-and-control server and runs enumeration and post-compromise actions according to its build configuration. The injected framework also captures user interaction and forwards those telemetry events to a Telegram channel used by the actor for monitoring.
This campaign blends web compromise, client-side social engineering, and a simple but effective SIDeloading persistence technique; defenders should therefore prioritize web-app hardening, monitor for unexpected script tags or iframe injections on public sites, and instrument endpoint telemetry to alert on new Run-key registrations, unusual MSI installations, and DLL sideloading behaviors. Block or monitor known malicious delivery domains and actor telemetry, deploy integrity checking for web content, and perform targeted hunts using the provided to rapidly detect and contain any related intrusions.
| Tactic | Technique Id | Technique | Sub-technique |
| Resource Development | T1584.006 | Compromise Infrastructure | Web Services |
| Initial Access | T1189 | Drive-by Compromise | — |
| Execution | T1204.004 | User Execution | Malicious Copy and Paste |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| T1059.007 | JavaScript | ||
| T1059.003 | Windows Command Shell | ||
| T1047 | Windows Management Instrumentation | — | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1553.002 | Subvert Trust Controls | Code Signing |
| Discovery | T1482 | Domain Trust Discovery | — |
| T1518.001 | Software Discovery | Security Software Discovery | |
| T1082 | System Information Discovery | — | |
| T1135 | Network Share Discovery | — | |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| T1071.001 | Application Layer Protocol | Web Protocols | |
| T1008 | Fallback Channels | — | |
| T1573.001 | Encrypted Channel | Symmetric Cryptography |
REFERENCES:
The following reports contain further technical details: