VERY IMPORTANT

Lunar Spider, a Russian cybercriminal group, has expanded its initial access methods by compromising vulnerable websites with CORS vulnerabilities, particularly in Europe. The group injects these sites with a FakeCaptcha framework that includes victim monitoring capabilities. The infection chain involves an MSI downloader containing a legitimate Intel executable and a malicious DLL called Latrodectus. The MSI registers the Intel EXE in the Run registry key and sideloads the Latrodectus DLL through DLL search order hijacking. Latrodectus V2 then communicates with its command-and-control server and executes further enumeration commands. The blog provides detailed analysis of the attack chain, including the FakeCaptcha framework, MSI loader, and Latrodectus configuration, as well as detection opportunities and indicators of compromise.