A global cybersecurity sweep has revealed widespread infections of Latrodectus malware, prompting remediation efforts.
More than 44,000 IP addresses were infected with Latrodectus, a sophisticated malware download used to deploy banking trojans and backdoors. The infections were discovered just before law enforcement agencies launched Operation Endgame, a coordinated global takedown that targeted the infrastructure behind major malware strains.
Latrodectus, first observed in 2023, is typically distributed through malicious emails and acts as a delivery mechanism for other malware, including IcedID, QakBot, and Pikabot. According to new data released by The Shadowserver Foundation, the infections spanned dozens of countries, with the highest concentration found in the United States, Germany, France, the United Kingdom, and Brazil.
Shadowserver tracked the infections between April 26 and May 20, 2025. Infections were confirmed in more than a dozen countries, with the following top counts:
Countries like Canada, Mexico, Australia, and India each had over 2,000 infected hosts. The report, labeled “critical,” was shared with national computer emergency response teams (CERTs), internet service providers, and network owners to support widespread remediation efforts.
Latrodectus is capable of evading sandbox detection and communicates with its command-and-control (C2) infrastructure using encrypted and encoded HTTP POST requests. This makes it particularly difficult to detect and remove through standard security testing.
The Shadowserver Foundation noted that the data behind the infections was provided by law enforcement partners involved in Operation Endgame. Their goal was to quickly distribute threat intelligence and accelerate global cleanup. Europol has confirmed that Latrodectus was among the malware families targeted during the operation, alongside Bumblebee, Trickbot, DanaBot, and others.
According to Proofpoint, Latrodectus sends system information to its operators and can receive new commands remotely, allowing attackers to maintain control or pivot to more damaging payloads.
The broad detection of Latrodectus demonstrates the ongoing reliance on malware delivery frameworks in cybercrime. These systems enable attackers to launch various threats from a single platform and operate across international boundaries. Operation Endgame has disrupted part of this infrastructure, but devices that remain infected still pose a risk. Ongoing coordination between law enforcement, internet service providers, and cybersecurity teams will be necessary to eliminate active infections and reduce the chance of resurgence.
Latrodectus is most commonly distributed via phishing emails containing malicious links or attachments. Once opened, the malware downloads and executes additional payloads on the target system.
Contact your internet service provider or network administrator. They can help verify the infection and guide you through cleanup steps such as isolating the device and running specialized removal tools.
Sandbox evasion allows malware to avoid detection in controlled environments used by security researchers and antivirus tools, making it more likely to go unnoticed in live systems.
Once Latrodectus infects a device, it communicates with C2 servers to report system details and receive further instructions or payloads, enabling attackers to update or escalate the attack.
Operation Endgame is an ongoing global law enforcement initiative aimed at dismantling malware infrastructure used to launch ransomware and other attacks. It includes takedowns of servers, domains, and arrests of threat actors.