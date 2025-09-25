Newly emergent YiBackdoor malware was discovered to have source code significantly similar to the Latrodectus and IcedID payloads, according to The Hacker News

Using the same code injection technique, configuration decryption key, and configuration blob and plugin decryption routines as Latrodectus and IcedID, YiBackdoor enables system metadata compromise, screenshot capturing, system shell command execution through cmd.exe and PowerShell, and plugin execution while circumventing virtualized and sandboxed environments, findings from Zscaler researchers showed.

"YiBackdoor by default has somewhat limited functionality, however, threat actors can deploy additional plugins that expand the malware's capabilities. Given the limited deployment to date, it is likely that threat actors are still developing or testing YiBackdoor," said Zscaler.

Another Zscaler report revealed the emergence of two updated ZLoader malware versions with code obfuscation, anti-analysis, and network communications improvements. Unlike older iterations, the newly discovered ZLoader payloads have been integrated with LDAP-based network discovery commands and a better DNS-based network protocol, said researchers.